hxxps://vencord[.]dev/

Analysis

max time kernel
273s
max time network
281s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
29/04/2024, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vencord.dev/

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
4036	VencordInstaller.exe
3608	VencordInstaller.exe
5084	VencordInstaller.exe
4300	VencordInstaller.exe
3908	VencordInstallerCli.exe
1448	VencordInstaller.exe
8	VencordInstaller.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270819.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 267588.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VencordInstallerCli.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
4424	msedge.exe
4424	msedge.exe
5000	identity_helper.exe
5000	identity_helper.exe
1700	msedge.exe
1700	msedge.exe
2148	msedge.exe
2148	msedge.exe
4604	msedge.exe
4604	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2332	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2332	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe
4424	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4036	VencordInstaller.exe
3608	VencordInstaller.exe
5084	VencordInstaller.exe
4300	VencordInstaller.exe
1448	VencordInstaller.exe
8	VencordInstaller.exe
1592	OpenWith.exe
4976	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 2292	4424	msedge.exe	78
PID 4424 wrote to memory of 2292	4424	msedge.exe	78
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 3584	4424	msedge.exe	79
PID 4424 wrote to memory of 2520	4424	msedge.exe	80
PID 4424 wrote to memory of 2520	4424	msedge.exe	80
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81
PID 4424 wrote to memory of 3912	4424	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vencord.dev/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac0723cb8,0x7ffac0723cc8,0x7ffac0723cd8
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Users\Admin\Downloads\VencordInstallerCli.exe
  "C:\Users\Admin\Downloads\VencordInstallerCli.exe"
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5968 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:388

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:484

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1048

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8d5e555f6429eb64461265a024abf016

SHA1
05a5dca6408d473d82fe45ebc8e4843653ad55af

SHA256
0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

SHA512
be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5710c39b3d1cd6dd0e5d30fbe1146d6

SHA1
bf018f8a3e87605bfeca89d5a71776bfc8de0b47

SHA256
770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

SHA512
0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
be8cded9a713ba50b2fa1acae83f0c05

SHA1
ed4a6ede9c7d2f38a0749279cd2df644fef9c39d

SHA256
61952576960d1d8d81f0d25730318b9d8a2cb3f009665efb41c07fbcba3b8dae

SHA512
a35ae8acd60497877af7aa77d7a7096e6e5ee480b76ebf05014e8facb3c5cea1911c46995a9c9e28ee7530b3af20632dea524db0a122e3357bee4daaf1c0a9a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
334B

MD5
d847f4b8953364b6aaf1a0dff6e2ed21

SHA1
f6848625961da76fa6b63764397268f8bba8fb22

SHA256
72238a6dc63ad93e59e1f734d9b040d83905dff13c42b2325ef336e763798e53

SHA512
eed7e21c7a020a062648964acc3c62ab0c24f7296082fc7ddc280ebf03c64d311cd0a5a17386fcc2c4b3356409dbd75735f2756171d658c029b476489eb0b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b65ff4478717199dbc153c752745ddff

SHA1
a0eaa9bb26bd23b023515153831117e5a8df4f78

SHA256
f8c780821c3a02fe065aeed258e173c1dbeafa0bf9fd10e4b5e42756a8330382

SHA512
549dfeb8fa82dce22af0c303348bebafa1d0376fb9dc4c28a850adb518db2165ece466c6f7a7de35fbd988b53b7fc6644054d590b9ab78cd8c5b012cfa1a996a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4a0ca835a750aab9097d0c86f9e125f

SHA1
c88dfed62021ea8e14dea59c0f6a42c06627d712

SHA256
514be85d0dee527c5cf6e0c6f41b1df7edb9db583d4da13e9cf6e92461d676f2

SHA512
69dac32d197e3795e7f338eb9a832df404686827e51776dea96751d6901973c4e96acabb2ffde154e4a88befcb602640352a57383f4c82c4c942b6da06effe21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
269bf6fcbaaf7ac4b74bd09155a35b77

SHA1
5f6480c7f07d795c518463418be7ca622a15ffe3

SHA256
692d316a771e54f64b8d2b6a8f37d1b4812b139c601a116eb44542c958b5ec52

SHA512
344e49bf74cfb656361f8b561f8d1dea8c60c86a2d202c03ac678269044600b066adc312b469b4694bdef44e0717cb65652edfcfdc160af2483e69d0a4058da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
b5fc8252999e2cbd1013eb57d681c5a4

SHA1
b71f818c8c77e75411381ab7df7f3cae11ec5d38

SHA256
4d3b3bc93987f113e4795aae6d6f9bdd06f884d5f287b477279f5b22358c5dab

SHA512
df169a41b0b0595ff4d2da6d63d19a3e20b5bf2f46d0b333b44cbea4dd191a11376c15b0a22d0de3a44c172eff841e7b47c386f35834877c5277351e9f11093a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58d7ec.TMP

Filesize
203B

MD5
5c1e590b326a828ffec4413ebabcab5b

SHA1
d8ae24ecc83c13bc3e613b0e67e299f90a512ee5

SHA256
eabf5a47f56703edc971ca60bb4c96f4e988a45c02820f936a05bec375b83fac

SHA512
318356f76bca7801a878bc318b0f914f1885eb37af67a783acbdd9c6e8e4c72384adefb0e08656f430c44279c50bd49e6d955cfb5f4b462b8d9c7f8e140216f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0b00d4f87a320cf41620d774ddd3938e

SHA1
72a4e9478887766ab9ab2acfd2d1d3c4205bf51e

SHA256
5af9e0c5261e912dda72bf6a0fca0c43c2d551452e81c99d2fba0eb9290f8d54

SHA512
0f41e0d0e3a4f30e09eb9da86dc82312fa2fff89bee900a97e4a21e04cdeef8a5648099a138d4673b2d0960638feb364093f9acf4ff905bd903f6f62c67c60ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f2221a0a07fec0d1203bd8bba22c2677

SHA1
544aaf1689ee31bcdef474d93d7ac0156c0806b1

SHA256
893a9e431e9b284253a10e79d0f04603b664ccb9efb8465101f99bc99521bb0c

SHA512
fb415dcfc6bb57c60ab0450e606a5af3b6722fcc8b268ed1607c2843cdba718652fdbb8e0a39c20578f2231d87a1102623a8be8b28717360366b51965e8a6b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
efaae0fb53ef01cc2537d6398eecfbbe

SHA1
d781176937e0b5aaa2281ad2c152e450a28019a5

SHA256
2b28f93b06f3ceb451f46951f1cc24c9a95d5a8c5ecd974a900f9eefeafc3479

SHA512
b3bb78550cc3a31dc9956b5a409da50fd1231fe778482e848951656b166635d6e6c8c405fd90c0edf072090120b931fd6df6d24b1c62cd0e5d5865861a74d305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00fb5861617acb411da69ea9a3095d88

SHA1
5b1888eb08e3832d55876e797a6225f722e9e22a

SHA256
c595a02e7ac322e8ae50793787ba4efaa36d330d06b3148f164d35c357316606

SHA512
3f6d17140d44be69e3dff08445b9d216b2cfc3737fa6b41b0081bb704d23b194e227d689006905c5bd6456f1e519757dcd7e4ae277be08357e73d2c716bc9475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
96498f34fbf65e00f750027e05f6e337

SHA1
e12391d4c5668d9ab63fbd9ac359576cda1f040f

SHA256
c9e81781edda5dbf84e66dc78f57f875d115fcda96c4f549fb777c7050cbd86d

SHA512
1628d039fbd91a498cd1ae906c573be07b00c3656e7b6f15ddf57f7bb0fa737320c373446d250c107984b7b9a40cc05b6d771d9b120f7639eb6019ae72b8740f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7fc4597def4798ca746f39433cfbd3e3

SHA1
d7f7ccc48fe26b90a927c64b9b2b3fc1115afb99

SHA256
24b2d9bcfeee7b9e2578af66e33e7e95a0fc4a14e43b3ac62e29c57641611b3f

SHA512
599c2ceb2b034bc8cdc0434ca31d34bc4a469fcadcd9ffbcfbdf3ea2f92299524be2620933abd7bb2370e33007727d6c088c108c704added79d32b9cb8979277

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 267588.crdownload

Filesize
6.3MB

MD5
57c6f59b4139374c5be091d7c8c8e453

SHA1
bfb1f6ffa23c1c4493b64da704622f0341171097

SHA256
466d2a0be1f380ddffed052df3cc132125fa34dc1af29312e14f13f358c8d2a2

SHA512
2544c9c17d0e2fd41f9802881e0d08bba5d299f5b48201316e00bd7b0446a1dc125ac8b6203e3cf663f25309df6fea4a58abb8dee96f6cb341d3a056ce6bdfe5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270819.crdownload

Filesize
9.9MB

MD5
1b8ee61ddcfd1d425821d76ea54ca829

SHA1
f8daf2bea3d4a6bfc99455d69c3754054de3baa5

SHA256
dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

SHA512
75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a

Download Submit
C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/8-260-0x00007FF63D390000-0x00007FF63E609000-memory.dmp

Filesize
18.5MB

Download
memory/1448-258-0x00007FF63D390000-0x00007FF63E609000-memory.dmp

Filesize
18.5MB

Download
memory/3608-125-0x00007FF7ED750000-0x00007FF7EE9C9000-memory.dmp

Filesize
18.5MB

Download
memory/4036-106-0x00007FF6DBC70000-0x00007FF6DCEE9000-memory.dmp

Filesize
18.5MB

Download
memory/4300-162-0x00007FF63D390000-0x00007FF63E609000-memory.dmp

Filesize
18.5MB

Download
memory/5084-145-0x00007FF7ED750000-0x00007FF7EE9C9000-memory.dmp

Filesize
18.5MB

Download