Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
273s -
max time network
281s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/04/2024, 19:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://vencord.dev/
Resource
win11-20240419-en
General
-
Target
https://vencord.dev/
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 4036 VencordInstaller.exe 3608 VencordInstaller.exe 5084 VencordInstaller.exe 4300 VencordInstaller.exe 3908 VencordInstallerCli.exe 1448 VencordInstaller.exe 8 VencordInstaller.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 VencordInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e VencordInstaller.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e VencordInstaller.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 270819.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\VencordInstaller.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 267588.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\VencordInstallerCli.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2520 msedge.exe 2520 msedge.exe 4424 msedge.exe 4424 msedge.exe 5000 identity_helper.exe 5000 identity_helper.exe 1700 msedge.exe 1700 msedge.exe 2148 msedge.exe 2148 msedge.exe 4604 msedge.exe 4604 msedge.exe 3036 msedge.exe 3036 msedge.exe 3036 msedge.exe 3036 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2332 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2332 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4036 VencordInstaller.exe 3608 VencordInstaller.exe 5084 VencordInstaller.exe 4300 VencordInstaller.exe 1448 VencordInstaller.exe 8 VencordInstaller.exe 1592 OpenWith.exe 4976 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2292 4424 msedge.exe 78 PID 4424 wrote to memory of 2292 4424 msedge.exe 78 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 3584 4424 msedge.exe 79 PID 4424 wrote to memory of 2520 4424 msedge.exe 80 PID 4424 wrote to memory of 2520 4424 msedge.exe 80 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81 PID 4424 wrote to memory of 3912 4424 msedge.exe 81
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vencord.dev/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac0723cb8,0x7ffac0723cc8,0x7ffac0723cd82⤵PID:2292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:3584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵PID:1348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:82⤵PID:4788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3320 /prefetch:82⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4604
-
-
C:\Users\Admin\Downloads\VencordInstallerCli.exe"C:\Users\Admin\Downloads\VencordInstallerCli.exe"2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,1467014180864742744,7368763989568246763,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5968 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3036
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:800
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:388
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004BC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1448
-
C:\Users\Admin\Downloads\VencordInstaller.exe"C:\Users\Admin\Downloads\VencordInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:484
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
PID:1048
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵PID:3468
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1592
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58d5e555f6429eb64461265a024abf016
SHA105a5dca6408d473d82fe45ebc8e4843653ad55af
SHA2560344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1
SHA512be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f
-
Filesize
152B
MD5b5710c39b3d1cd6dd0e5d30fbe1146d6
SHA1bf018f8a3e87605bfeca89d5a71776bfc8de0b47
SHA256770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f
SHA5120f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5be8cded9a713ba50b2fa1acae83f0c05
SHA1ed4a6ede9c7d2f38a0749279cd2df644fef9c39d
SHA25661952576960d1d8d81f0d25730318b9d8a2cb3f009665efb41c07fbcba3b8dae
SHA512a35ae8acd60497877af7aa77d7a7096e6e5ee480b76ebf05014e8facb3c5cea1911c46995a9c9e28ee7530b3af20632dea524db0a122e3357bee4daaf1c0a9a8
-
Filesize
334B
MD5d847f4b8953364b6aaf1a0dff6e2ed21
SHA1f6848625961da76fa6b63764397268f8bba8fb22
SHA25672238a6dc63ad93e59e1f734d9b040d83905dff13c42b2325ef336e763798e53
SHA512eed7e21c7a020a062648964acc3c62ab0c24f7296082fc7ddc280ebf03c64d311cd0a5a17386fcc2c4b3356409dbd75735f2756171d658c029b476489eb0b38d
-
Filesize
5KB
MD5b65ff4478717199dbc153c752745ddff
SHA1a0eaa9bb26bd23b023515153831117e5a8df4f78
SHA256f8c780821c3a02fe065aeed258e173c1dbeafa0bf9fd10e4b5e42756a8330382
SHA512549dfeb8fa82dce22af0c303348bebafa1d0376fb9dc4c28a850adb518db2165ece466c6f7a7de35fbd988b53b7fc6644054d590b9ab78cd8c5b012cfa1a996a
-
Filesize
6KB
MD5a4a0ca835a750aab9097d0c86f9e125f
SHA1c88dfed62021ea8e14dea59c0f6a42c06627d712
SHA256514be85d0dee527c5cf6e0c6f41b1df7edb9db583d4da13e9cf6e92461d676f2
SHA51269dac32d197e3795e7f338eb9a832df404686827e51776dea96751d6901973c4e96acabb2ffde154e4a88befcb602640352a57383f4c82c4c942b6da06effe21
-
Filesize
6KB
MD5269bf6fcbaaf7ac4b74bd09155a35b77
SHA15f6480c7f07d795c518463418be7ca622a15ffe3
SHA256692d316a771e54f64b8d2b6a8f37d1b4812b139c601a116eb44542c958b5ec52
SHA512344e49bf74cfb656361f8b561f8d1dea8c60c86a2d202c03ac678269044600b066adc312b469b4694bdef44e0717cb65652edfcfdc160af2483e69d0a4058da1
-
Filesize
203B
MD5b5fc8252999e2cbd1013eb57d681c5a4
SHA1b71f818c8c77e75411381ab7df7f3cae11ec5d38
SHA2564d3b3bc93987f113e4795aae6d6f9bdd06f884d5f287b477279f5b22358c5dab
SHA512df169a41b0b0595ff4d2da6d63d19a3e20b5bf2f46d0b333b44cbea4dd191a11376c15b0a22d0de3a44c172eff841e7b47c386f35834877c5277351e9f11093a
-
Filesize
203B
MD55c1e590b326a828ffec4413ebabcab5b
SHA1d8ae24ecc83c13bc3e613b0e67e299f90a512ee5
SHA256eabf5a47f56703edc971ca60bb4c96f4e988a45c02820f936a05bec375b83fac
SHA512318356f76bca7801a878bc318b0f914f1885eb37af67a783acbdd9c6e8e4c72384adefb0e08656f430c44279c50bd49e6d955cfb5f4b462b8d9c7f8e140216f6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
12KB
MD50b00d4f87a320cf41620d774ddd3938e
SHA172a4e9478887766ab9ab2acfd2d1d3c4205bf51e
SHA2565af9e0c5261e912dda72bf6a0fca0c43c2d551452e81c99d2fba0eb9290f8d54
SHA5120f41e0d0e3a4f30e09eb9da86dc82312fa2fff89bee900a97e4a21e04cdeef8a5648099a138d4673b2d0960638feb364093f9acf4ff905bd903f6f62c67c60ef
-
Filesize
11KB
MD5f2221a0a07fec0d1203bd8bba22c2677
SHA1544aaf1689ee31bcdef474d93d7ac0156c0806b1
SHA256893a9e431e9b284253a10e79d0f04603b664ccb9efb8465101f99bc99521bb0c
SHA512fb415dcfc6bb57c60ab0450e606a5af3b6722fcc8b268ed1607c2843cdba718652fdbb8e0a39c20578f2231d87a1102623a8be8b28717360366b51965e8a6b19
-
Filesize
12KB
MD5efaae0fb53ef01cc2537d6398eecfbbe
SHA1d781176937e0b5aaa2281ad2c152e450a28019a5
SHA2562b28f93b06f3ceb451f46951f1cc24c9a95d5a8c5ecd974a900f9eefeafc3479
SHA512b3bb78550cc3a31dc9956b5a409da50fd1231fe778482e848951656b166635d6e6c8c405fd90c0edf072090120b931fd6df6d24b1c62cd0e5d5865861a74d305
-
Filesize
11KB
MD500fb5861617acb411da69ea9a3095d88
SHA15b1888eb08e3832d55876e797a6225f722e9e22a
SHA256c595a02e7ac322e8ae50793787ba4efaa36d330d06b3148f164d35c357316606
SHA5123f6d17140d44be69e3dff08445b9d216b2cfc3737fa6b41b0081bb704d23b194e227d689006905c5bd6456f1e519757dcd7e4ae277be08357e73d2c716bc9475
-
Filesize
11KB
MD596498f34fbf65e00f750027e05f6e337
SHA1e12391d4c5668d9ab63fbd9ac359576cda1f040f
SHA256c9e81781edda5dbf84e66dc78f57f875d115fcda96c4f549fb777c7050cbd86d
SHA5121628d039fbd91a498cd1ae906c573be07b00c3656e7b6f15ddf57f7bb0fa737320c373446d250c107984b7b9a40cc05b6d771d9b120f7639eb6019ae72b8740f
-
Filesize
12KB
MD57fc4597def4798ca746f39433cfbd3e3
SHA1d7f7ccc48fe26b90a927c64b9b2b3fc1115afb99
SHA25624b2d9bcfeee7b9e2578af66e33e7e95a0fc4a14e43b3ac62e29c57641611b3f
SHA512599c2ceb2b034bc8cdc0434ca31d34bc4a469fcadcd9ffbcfbdf3ea2f92299524be2620933abd7bb2370e33007727d6c088c108c704added79d32b9cb8979277
-
Filesize
6.3MB
MD557c6f59b4139374c5be091d7c8c8e453
SHA1bfb1f6ffa23c1c4493b64da704622f0341171097
SHA256466d2a0be1f380ddffed052df3cc132125fa34dc1af29312e14f13f358c8d2a2
SHA5122544c9c17d0e2fd41f9802881e0d08bba5d299f5b48201316e00bd7b0446a1dc125ac8b6203e3cf663f25309df6fea4a58abb8dee96f6cb341d3a056ce6bdfe5
-
Filesize
9.9MB
MD51b8ee61ddcfd1d425821d76ea54ca829
SHA1f8daf2bea3d4a6bfc99455d69c3754054de3baa5
SHA256dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871
SHA51275ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98