Analysis
-
max time kernel
147s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-05-2024 23:40
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
modest-menu.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ modest-menu.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
modest-menu.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion modest-menu.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion modest-menu.exe -
Executes dropped EXE 1 IoCs
Processes:
modest-menu.exepid process 6076 modest-menu.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_\modest-menu.exe themida behavioral1/memory/6076-686-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-687-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-688-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-689-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-690-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-692-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-691-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida behavioral1/memory/6076-693-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmp themida -
Processes:
modest-menu.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA modest-menu.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
modest-menu.exepid process 6076 modest-menu.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemodest-menu.exemsedge.exepid process 3396 msedge.exe 3396 msedge.exe 2076 msedge.exe 2076 msedge.exe 3084 msedge.exe 3084 msedge.exe 4400 identity_helper.exe 4400 identity_helper.exe 2052 msedge.exe 2052 msedge.exe 6076 modest-menu.exe 6076 modest-menu.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe 4708 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
Processes:
msedge.exepid process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXE7zG.exedescription pid process Token: 33 2236 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2236 AUDIODG.EXE Token: SeRestorePrivilege 952 7zG.exe Token: 35 952 7zG.exe Token: SeSecurityPrivilege 952 7zG.exe Token: SeSecurityPrivilege 952 7zG.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe 2076 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2076 wrote to memory of 2020 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2020 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2500 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 3396 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 3396 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe PID 2076 wrote to memory of 2244 2076 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lootdest.com/s?nVNm1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7a103cb8,0x7ffa7a103cc8,0x7ffa7a103cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5144 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7544 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,11594567861337036769,13302199918653379345,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3312 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004D81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_\" -ad -an -ai#7zMap22102:144:7zEvent26631⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_\modest-menu.exe"C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_\modest-menu.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58e1dd984856ef51f4512d3bf2c7aef54
SHA181cb28f2153ec7ae0cbf79c04c1a445efedd125f
SHA25634afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7
SHA512d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ffa07b9a59daf025c30d00d26391d66f
SHA1382cb374cf0dda03fa67bd55288eeb588b9353da
SHA2567052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb
SHA51225a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD53b16ec8ed9626d649359283d42e30442
SHA1ae73c2e74b3e233344ace0b344caf252ece2d1a2
SHA25637678d156025725d63c091934d1c5acf346602ed3343dad089c2f0c1399e1315
SHA5123a0ebf5083d8fb07b844a83a780e36c9f00145ffb61b97fb8915f14db65be54fe54cb6e22a5c68c00ce46dcb262795a170c9bbe7b1ae885feb8c355c7244792e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD54a562e7e6504f530a81097e515c64330
SHA14dcd76abe0a61e16e39793b78c16fd92191e084d
SHA2562e888cc618e4158ae5da346f90ea262d9558e68e160b20af5a248818e78441eb
SHA512e875562f8a72ae122c38e4925c6b99e47cc085911ebac5b61d86c9222f1b888b95831d397a34ddd05a2ccc4758ccaa16d048213d0916a0a85199f7d9853da133
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
10KB
MD507442b01d004a86a7ace94252b0c55dd
SHA1ac09707a914bde0ebb27c9be1a06c6d2c20e9ea6
SHA25640464491b155c6b3dd1849ab9fd8104e4a688c011faa2705998802620b480ec8
SHA51212b4bd0e60f1a358522a2f074721d95f46df9ab7d60b8bd27fb5db1cf8e826db659e6ebe578756e405f882e96a158a698006a35ba6031101835eb11242e96791
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
10KB
MD5916c04e24ac6f5f87800b58daf96eaf7
SHA1871f3ee9afd559b2129d6e7771d65239cc071695
SHA2566273fcfa353232349648f95b19b2f656154795f40416c737cb15a3f13b269c45
SHA5124012af91030dcfe24465842cb6cefc6d5aaf1de2743e4bc3cac7ba29240f910e4aa19f8151adaea3068f5aa1d2fedef97b3d3f6c9f4ad1dd0a6e8027c4c237d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5dcc48abf3bc50e4b2de6f3d634ac256b
SHA145ebc6a9e5c6d31db6fb6602ef9aac1bdf5e0fa3
SHA256a73ff98de2b44c8fbe6862aabe84bd550734992393b73d17c31174dc16520708
SHA51246e4fb70b8df60f6a8adaed21b0eeb01f65bd4c6ccd7987fea0403d16a092fe1502207861e1674aec105739ed8d1c5d6aaa746d23f3b55827d6d66342cb4e161
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
9KB
MD50097b3342356cac8bea84f22bda332e8
SHA15e119f9f263edf55ac466c4b1fbec73349bf1a15
SHA256b640ce3739ab1d575f03180c249567e7e7917a4c1f0228b1139f7ff657f96c93
SHA5123ea1773ecd05d7cfdc3b3dff7a7a51faed13b4b8bceddc7ff114d2503af69ccd235bd18b6d9d045815fd309781eef2e5ecf1cb20898532fe86d94d7f71511c2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD57cb8f28f009e599e665db4446f39fb5b
SHA19cfcf4e87cf3237f4f962325d00cf79d135d79f3
SHA2563c214ddad3ae5e7a3f4765c819ed67bb24c20e486b4ae7b336792c040324c299
SHA512318f6f514b55bb84c6d3961367ba2a1ce4ff5d69993e61b084319d30d2f126b773eeb73ed43eb1be02e74fc02d5cea911b76de6d3e544126cef5554337a5d1ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
14KB
MD5f85de99b43884e63df636e443ce92d0c
SHA17521518560c6f900c4a566b3f254e910f6706b83
SHA2563c749bc6c958fab84a3a2a1eba56fbc6c19de9f0109c94c9813f39735eaa836c
SHA512a6b9abdbb6125d85836472bed58fe86809a2d5f7fb535bc13ad9cafdd270cd6592ec391fa2b03a33acc082f19dd0f206e1ed5839697d20204f8bf0211c6e130f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD53cc18eae0fb67d06939a6110dc13a320
SHA188bbeef3886cb1ed0f4445aa9e9c39d53f718ffc
SHA2567215a91faa8ce9734779bd5fc02b7b4ce5d4dc043b006b4e65bc47987f0f8ba0
SHA512e14cf66aa7ad29e5da9d9f83c0a5cb1746f3c8e5be4f2c8ff6c55da71db13f72502bc7a865052c6908bd45bba60380070e38c248cc419eeb972a84883c43a546
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
3KB
MD557ac48eae35132dae8a2b1b8860f1bb2
SHA112d8f61e51440fe7b0b899e29c9dc41e30a9ea9b
SHA25663b3589ff347ce1b77cd0ca0aff9c01c6eb888ef9c20bd40787209e43f40f677
SHA5124d397030e376baf7b8c9b6e16178454e4102b91a3faf7e5df5395e33305db5293a55321b7e5f058c2e976a38ef4ca9ac68b146f991eef2506b40b1f7751dfa82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
2KB
MD5d46da09fc39121ccc65fa7c03d431d53
SHA1e8c43f83273da9964ebe7089cdef413530fabd73
SHA2564f1fb0124adf540a2f89554a8aeeb65540ae52656bf39da2ca878a1ec60808c0
SHA51214f2d98ae014b893940d07392727caa62bf4b3fb15f2860147c037ba9aab656fd291a0c708262bb35c4b90dd7cfd78d3d7aee19bceee3bf18d70f625e4db90f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eaae.TMPFilesize
1KB
MD59312191270c8879192a4d549836a1f1e
SHA16af49bb92cfa9ef1ba9ff2013eac047882a18e11
SHA256ee11525275bd597c80314622c55b60b5de55f8a87026ad7da19e2709aa300751
SHA51253d9c0fea0c2ff8ec8464e3a5a4782a109d8f1a0ea46e158d159fd1e584351321f53b5ed1e5071efa6cd3ffa74f360ff51144e008137ce841e0b81ac104243e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50a4cb124508c8394d2d2e3b284e9ecfe
SHA1a32c2f0b03d351d7e3c03aac69597e8cfc2aa204
SHA256fed4b276964de3ce68cdb765feac4859312dec7450a919a8eaa59c24927f9f0e
SHA512dc0e52acd248747c708b44d68fbf84b33f330afdc4d7a9de07351ea547816e88629e4f77c35f708e04071f58a61dbb3c84c62d7d32649d19b34d799454641cbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD52f15cd8b548a3365ee3cfcdfe06e4192
SHA138c1599decb59b1b5ecb823885161eb6c1635826
SHA256c85e6389471b4e3b00e49c969f364af2f758bf8664dbd8001b0036dbef77215c
SHA5121a969f333981e36e191b8c1281a37735215909fce5137bd96533b57d31fc04e5a2909c8868b19f3c9928b5111ad4653eb850fd5117cff97e9f326f873c211710
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
11KB
MD5af031abf2664d2d58ee039d43095651a
SHA113037e92355cbd5f3608c1d1c8a3db44b3e94f18
SHA256f8b49eda50919efc0eb140e9b4c6ea43886f54818470841041b02cc72496f392
SHA5126dab42bc9336ddd5569c232751bc04cea02e00c0a16ea1aed09f4d8b7803da0dbed5dab110aeec7007f5ca416d43c5dae953176719c8723b34c74b5f1c0834af
-
C:\Users\Admin\Downloads\Unconfirmed 952522.crdownloadFilesize
16.8MB
MD513b33baf9597ae6ddc68fa9634af16f1
SHA157f3a723634ec00b4f09d066bc0607084cc4b6e5
SHA25675a3295f8c688359fcb7555b80e3f71ee42c5ac1d4525a39b2571107acf06a45
SHA512ed38d6150cbeae60451b74ae50af1bbbaf035924fdd266cf8a8fc8b84fe403dcb689185d1a9b5db048f1c11106a1a655d14d4833c7593512c5661d4c587a2e1c
-
C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\modest-menu_v1.0.0_[kiddionsmodmenu.com]_\modest-menu.exeFilesize
16.9MB
MD5ce03d8db32b901caba01fa8b1beefe54
SHA176377cea7317bd28af0ccaab276bd49360936a9d
SHA256a568e2a4d89ab76ab9ff11b30bf320dcc4413353660678c51abc79863ff3c1c4
SHA51240ef98ee1dd411d3f634f9fe1ccdac0bc8fa5d13b1392ac5d045bf130db6efc5ebae48298d02a732fe634af953af10c004d54c3a4d5862b7f9cd6736f6ddbfca
-
\??\pipe\LOCAL\crashpad_2076_XPORQEUWZOLXNMXRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/6076-687-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-688-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-689-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-690-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-692-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-691-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-693-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB
-
memory/6076-686-0x00007FF7BE7D0000-0x00007FF7C11DF000-memory.dmpFilesize
42.1MB