hxxps://vencord[.]dev

Analysis

max time kernel
94s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-de
resource tags

arch:x64arch:x86image:win10v2004-20240802-delocale:de-deos:windows10-2004-x64systemwindows
submitted
13/08/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vencord.dev

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
3780	VencordInstaller.exe
1560	VencordInstaller.exe
112	VencordInstaller.exe
2264	VencordInstaller.exe
1736	VencordInstaller.exe
3228	VencordInstaller.exe
5084	VencordInstaller.exe
4292	VencordInstaller.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\msmouse.PNF	VencordInstaller.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VencordInstaller.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nicht bestätigt 762862.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2248	msedge.exe
2248	msedge.exe
3832	msedge.exe
3832	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe
4828	msedge.exe
4828	msedge.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	taskmgr.exe
Token: SeSystemProfilePrivilege	1560	taskmgr.exe
Token: SeCreateGlobalPrivilege	1560	taskmgr.exe
Token: 33	1560	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1560	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
3832	msedge.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3780	VencordInstaller.exe
1560	VencordInstaller.exe
112	VencordInstaller.exe
2264	VencordInstaller.exe
1736	VencordInstaller.exe
3228	VencordInstaller.exe
5084	VencordInstaller.exe
4292	VencordInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 1580	3832	msedge.exe	84
PID 3832 wrote to memory of 1580	3832	msedge.exe	84
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 4848	3832	msedge.exe	85
PID 3832 wrote to memory of 2248	3832	msedge.exe	86
PID 3832 wrote to memory of 2248	3832	msedge.exe	86
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87
PID 3832 wrote to memory of 4864	3832	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vencord.dev
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf71846f8,0x7ffcf7184708,0x7ffcf7184718
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=collections --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,16476924009482804159,7352678685540200441,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:3780
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1560
- C:\Users\Admin\Downloads\VencordInstaller.exe
  "C:\Users\Admin\Downloads\VencordInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:112

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\Downloads\VencordInstaller.exe
"C:\Users\Admin\Downloads\VencordInstaller.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6e6ea8ab61c5f13f46f65d444b4b1a1d

SHA1
8c203ad626772e536b5869403ac1294a7480c1f6

SHA256
bdea8642652cb6532101ae2470f1fb7d5c36141528eb8e1e34b5b678439d4aca

SHA512
ccdb29d608b28dfeeef7068372fdf012c40c395cab68bc528341333c71fd5f44ea1f5c10fed88c1e5b7e525f04de6669cd87d1bf9b1454ad84ccb9a8f86482ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
622B

MD5
cdeb919ea0e07431b22f0725553a885f

SHA1
9fce6b70313a2c21baba6ff2409b2ae3d2191d89

SHA256
c091b3fb9fccbf59435b98627c7965fd5e1f0d174314c00901c30cbb8187ce24

SHA512
356c2215f870627940adde53bd6e47e69d1d8b6e557e36a26be3ad50bc12994cd4908cb0cee9ba486afd895489cd54894015c657b555be4fdb723fb7660b50f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91cb20f0f4f45e90eb7208e3544476ea

SHA1
914ed68e71d065d5c3cdffe6a94f779fac4fb1ec

SHA256
649d4e5bcd799a966e6ca5b2bb9739968e62b87c4bd30ace42728f5f21fae41a

SHA512
f2851a009ab3a808f2bd7b6bc7b7d1fec229c36c3db0d31ff19865c4373f5da3ffc91438c4985bf4ee80bf2fd0eda552f24220dc507dd45604db7e7580403b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e8ee3aeb38bf967c9d91a72faf1c7f9

SHA1
16329038aecf8133c85653a869c41aaab5bb121e

SHA256
115a83b07d1776e0f7af25784976a12313ba2dec7056fbc365a3834d59298ac2

SHA512
af22b0bdab43ebe9073a628a099faf3802066f67d00ac235a799b7021fe0df902430a15b10beac81d0cbe067a223a05b6512fec9aa881cebfb669c216f39cf52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e39a82fa9229edbaf9d55943352a2332

SHA1
0334f8d2612632b8abef37e587f5ac3bb8ba5fcc

SHA256
622432b400ef1e545d27764ea4242ff57a5cbe95999bbc9b0f864ea1a97fb5f2

SHA512
8dd87f252fb540517973f1e067fb0798a382f74d0d45aace2fbc17690bd8588e47c00cc63b5cd226d2b272edfdebc7955bc6952bdb22e80b6eadf73a98a7c294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4f51b22de50b10f4e3c5f91b0d7dbce

SHA1
3cbeb5fa02bdc62a200a69c73dbae06b34a17c42

SHA256
90c750c030f5bd0ec7b77074ee4ec63bda9463a9727847705edbd76c13f31ea6

SHA512
80e462e6cacd802ccb0a152461e1c36bbd54acc50be46ab006a63a50e7ad26c5f53972c57c1dc5869d14dba0427ca20318de691b672313e5e8fa1c3c47096f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
853f79ad8a1c7b15f5b1d264ee49f9f1

SHA1
77588068c1d3d913bb78f078c88cb1787cbbdaf8

SHA256
b141bd7ef42c53f9dbe92c3535bfa0d0780db22ae2a453d97e1f50c7a21511cd

SHA512
2be007bd17544a4a54104668847158a42f4279876deab8e31b66f0d2c1bb753d61c1cfa5557588f59fcf9da1de68fa0c5a87011abcdc5e76ad5278222853b3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e8ff1f2ac0045829886427ea482539f4

SHA1
192e1138f31d83caa136bebdbfa8cbd676db73dd

SHA256
bb480ed6ab4a769d78c5836842df9e895275414d49f4ed7079389a92971f30f6

SHA512
d50ecd06a4f0901f1d86f2c71579d4f723cd085d91baf5cad17a8e900771b44fb11e4bf1168060e4bfc5c69efde2096f2be1542c47da74be23506905945dba78

Download Submit
C:\Users\Admin\Downloads\Nicht bestätigt 762862.crdownload

Filesize
9.9MB

MD5
1b8ee61ddcfd1d425821d76ea54ca829

SHA1
f8daf2bea3d4a6bfc99455d69c3754054de3baa5

SHA256
dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

SHA512
75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a

Download Submit
C:\Windows\INF\msmouse.PNF

Filesize
96KB

MD5
49edc923a20b6f7b8a2cbd1d5b6dbd87

SHA1
5ab704c694c552c11e81e07e56b34305cd19f075

SHA256
f3902b6a5d0933fa5c5fc12ae75f53379dd83ff18965e122aa7ab91c5a41a43d

SHA512
d928fc61978703dba163b1f45e6fd26eab9b023125ed5030967bce1cf8389ebb83c595de0e319c9988022214d6db21d398c70dbb7ccc2ac1ebdaeb66af73fd30

Download Submit
memory/112-121-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/1560-150-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-119-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/1560-147-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-142-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-141-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-140-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-146-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-152-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-151-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-148-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1560-149-0x000002134ACA0000-0x000002134ACA1000-memory.dmp

Filesize
4KB

Download
memory/1736-136-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/2264-125-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/3228-138-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/3780-116-0x00007FF7244D0000-0x00007FF725749000-memory.dmp

Filesize
18.5MB

Download
memory/4292-189-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download
memory/5084-187-0x00007FF74D180000-0x00007FF74E3F9000-memory.dmp

Filesize
18.5MB

Download