hxxps://github[.]com/ALEHACKsp/Valorant-Spoofer

Analysis

max time kernel
600s
max time network
592s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ALEHACKsp/Valorant-Spoofer

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5616	MapperSpoofy.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Volumeid.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4368	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{76759EB2-89A6-4363-BB78-478BB25215C9}	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5152	reg.exe
4512	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4496	msedge.exe
4496	msedge.exe
5080	msedge.exe
5080	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe
4512	msedge.exe
4512	msedge.exe
5616	MapperSpoofy.exe
5616	MapperSpoofy.exe
556	msedge.exe
556	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe
3992	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	taskkill.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe
5080	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5616	MapperSpoofy.exe
2356	AMIDEWINx64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4072	5080	msedge.exe	84
PID 5080 wrote to memory of 4072	5080	msedge.exe	84
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 1380	5080	msedge.exe	86
PID 5080 wrote to memory of 4496	5080	msedge.exe	87
PID 5080 wrote to memory of 4496	5080	msedge.exe	87
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88
PID 5080 wrote to memory of 4360	5080	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ALEHACKsp/Valorant-Spoofer
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff381446f8,0x7fff38144708,0x7fff38144718
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3736 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\MapperSpoofy.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\MapperSpoofy.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\Volumeid.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\Volumeid.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6140

C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\AMIDEWINx64.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\AMIDEWINx64.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\FN.bat" "
1⤵
- Enumerates connected drives
PID:5132
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:5140
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:3652
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
  2⤵
  PID:3740
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23117 /f
  2⤵
  - Modifies registry key
  PID:4512
- C:\Windows\system32\reg.exe
  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 5599 /f
  2⤵
  - Modifies registry key
  PID:5152
- C:\Windows\system32\reg.exe
  reg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f
  2⤵
  PID:5168
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
  2⤵
  PID:1536
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
  2⤵
  PID:4904
- C:\Windows\system32\taskkill.exe
  taskkill /IM "EpicGamesLauncher.exe" /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
582d0ec0b80b2cab65126f1c64e141cb

SHA1
bbbdab288c4f266e960842e68bacc2a8a823536b

SHA256
b09752e1b25842e5061dbcf669e5fda2431ca371b47a40ac5bcfbe06037caf6a

SHA512
a82c8faa67386a9e62a4a513b8f4d5d4ff56835a4c66d6d2b129de02da8a8485e37b4d6f53081e27bd9278113524e3d9d6b2bdc4a1cbe6b6dab98ebbb5514b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
16de99418b4bae6f1ae95f0418ffa952

SHA1
28e25835f5cbec3821c6d3c54082577d4f5dd3c6

SHA256
7733911cdc5978eff8532f4af4c0f32f227bcb3c1438debd8809024112fef480

SHA512
32080f3f8f9d2f456470b78ee225890faf9acf1f13d23dda6791585cc11be766beb6c3453738cf588971f2abaa29845f57cdab66bf50509236248e66d794fab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
937B

MD5
f19dac13021f20b49748740a0db8d1f9

SHA1
bec5a7dfdbc20f073bcf216e65c6dc55e18b0884

SHA256
4ac760a8d9bb34af2804204ba38d6bbc9f6769e348d0f623231fe3842758980e

SHA512
61624d575212f0970c4e0025750479a02338d09d2a8699512841e0c0d982c9fa7355a1de844ffc5bd0312cb0693f7b0abbee1037f39df63ec356f190d3590fca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9bd44af42e3a18378e7748d161a2dece

SHA1
ad202c7f97819c4f54c6ab77772c3661be6e00d6

SHA256
2960d842510f55fb06ac71540d1900771a3611cc3bbebf9e3729100c7dd4b5b0

SHA512
9495035326ade0a9051d2029cfc5d6bc4a3a6e3606051073baa19583b1d6793672bb4ec318f8e1a97cf06d84228611dac043f8b489cb64d57b0bb290f3e91c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4bae0af5581d5e41769beb3fe05f0aa2

SHA1
e5e1cf8ab223ee20e47488658a39f4660d966bd1

SHA256
a0bc3de8314ccef48222ebce8ad7278e3fd0a8de17da49ffeb27b66b9be365b1

SHA512
dcf3faef4864fc1886c5baf416753bedf4103031de989e9a6d82a30a39c6e9642af92d188e6c5fbcce68218c9f475266287c49ee119411a1707fe029bd0d5319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d0302b5d300019af6d5ab4bdd68f66a2

SHA1
d95783f4e69696b359b91ad88a0a1b1d60e1a048

SHA256
11726b12e223e726dc11b793027b347d9346e6e83b2e8e5af3e7608fd670154a

SHA512
0cdb0ab20d7deb553d2e350682bb46fdaad290aeb35efb55ef83a2653fcf2917891dbca12233613cc8eff8c70567c65422bb9efdef6c4718f8f6128d712a5369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41ac39bb8c27474f79b7b0d1a7bc22f2

SHA1
b96e2e8d726ec5bc0d08a4b23cb7fe08347fda33

SHA256
fcf1a16d5c8bdc729841923de96de0f2c4893373e9cfb026e2dfb0d7a0554ef3

SHA512
bf058e58a4a7d25ee1fe61bfcc657f76c17c7d6983dbb36659700cfb55eeb5d252963071fc7beda8fe17f2cbf6b8030399253951288a026d4b1940f30869acef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4526e81757f988e807548022923a4cf6

SHA1
25d868aaed50a31df75b2e82cfffb2668b034088

SHA256
2e42397cd77fd06a6fd90faac109e12c8bf99d3279db18e71d6e1239c4aabf67

SHA512
37f98d041bf0dd653c2311809e8ad21ec5536fe72ebf47c9f6fa3c6a32cfd4631b0b1e49c0aff70f230187fb882c3bfa4190503a3ce80622670a2feb33bc1ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
93844b9b63e73920e9048e4a022d0a6e

SHA1
9d0eeca7144f60c248c1d2b4ced6d179c0660389

SHA256
13ac286e595143dffd250b1d7206b941eda8242860c13b45adae53336a69b3d2

SHA512
18be86e162d6655f65970084fa614731a0a4b1c867e4afede7d746d91e353b9fb901bd003c03533b457d67b280c14c1d3b95dce8d22ba3ea49814c4a50f5fe71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
41e076c7559358e2fdba94d1615d0f42

SHA1
f7204462cbe67be129f716f10029550499e80e63

SHA256
ce8836b13ed904f418a68a23a4098ae091efe825666210c250b67a70159a4447

SHA512
1503f2954bdaa4620f8c957054962023eb114a0770315859a22d35298ba8fd3f78455e56e3219ceef8618f3ea53aed70d038cf81c8a9df882c3f8f1577125c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6a73f38ecffeb787335fd97110f018e

SHA1
814030af6488e6d747909ba6018d4ebb015d668e

SHA256
5748e1ae3bb14b622f61f61ce18282fc4981145155b5552ea97afeedcca7bc3b

SHA512
53fefccb6b4f021c42754b22f031445684ce766057186939681e3e2d425adbea85e90b8f2ba9985b39b94941675d55c65baa322732fd89a79d9815660627f84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd2b08b14c392c5514f3f968cc1dfe24

SHA1
bed2a360cfb0bc2adcf3290d38fd754e21fd3bc3

SHA256
aa9e97032fe9665eadd0360d73f1c4e16fa785c80c52b880181c666c590e5ee4

SHA512
d8112d0a7f09d5d5fa575fb85cb44a115f637d6ad45d1091da2964da524481aa9f07379e9158ffc62fc948602be614698ea6267b87440048364f62eb08dd244e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b13ef2381e4888755986e7d44bb97bb4

SHA1
39efe3ba689ca2dd3f58de87920f6082a1bb91ef

SHA256
eb3fd3bd5121c2c49c0d295c3105daa1346d113f5fcbbd9da81aad48db233f1b

SHA512
498b60d4a4b835e7ef9ecec14c157b0f2d8f049c0abb8275e2754a7820d6550d2e9e4b245c84662c8f468e254791b61643fc1e861e2be477a4cdb58d7f597cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c94b.TMP

Filesize
1KB

MD5
0e1d40e1468e1b9fe2b0f33a39906ba8

SHA1
e92cbe5ecd6e7d5748bff749c53e6ac778172b53

SHA256
7336dae77f92afc98a38b560d8d5aa570d7bfeb8b1092e973edea779ab167a58

SHA512
358067ae168b15a67c1ab30def593b34837b0cd56d068153b6aaa029b91933938a8965b68b986a4274c332ed2dc91a30f467abeada7b1219b3e28c6307b42dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a023e20e6f41938a0f928fb14cf43d52

SHA1
a83cef597e8fd913ef72ac62a7e39eb801c278c1

SHA256
3486712971b6a73d3550726464e98cf73d015028878e6cd8fc282e82d617d3cf

SHA512
cbf5f50a39da642a9bfb36754f44b7462635f7cc4786f85876a4f3a9be99fb69532e7a545b477331246e450c152826e49226388d885273b8bcd0ae5c9aa0d5bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47befcff54b87180d5734be27126f462

SHA1
77231cda4dd34e47312631a51718357ebd3da969

SHA256
681f36c01715d074465085fd51fe4bf68660c8071c3b2275f82889b668167e58

SHA512
47457fb4a84955cc93bc46b1ac4b3338324f2ab0b2bfaab8ad9c8af0c2895ff7d5e13de8777b0c4f7eeefac6773a1d79895dfb8ac8339492df2e0262a0ecdf6c

Download Submit
C:\Users\Admin\Downloads\Valorant-Spoofer-main.zip

Filesize
5.2MB

MD5
ec0dab7fed03907adca447869cfe8252

SHA1
546f3308503af8d92cd841210fe7fb71a17c661c

SHA256
87e343bc7a031476674f7c325bbdd6a702b135ba52cafd375a49eb228f84716e

SHA512
1ff97f6ce1172d5deb7b0c8d3fd88fd0196c34c9b28923dd0aca3820f357a8e3071b54e5b2310338938f4ea1893d076a236f76432a22444e22f20b0bf086caaa

Download Submit
memory/5616-234-0x0000000140000000-0x000000014085D000-memory.dmp

Filesize
8.4MB

Download
memory/5616-233-0x00007FFF47260000-0x00007FFF47262000-memory.dmp

Filesize
8KB

Download
memory/5616-232-0x00007FFF47250000-0x00007FFF47252000-memory.dmp

Filesize
8KB

Download