Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
592s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2024, 11:18
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5616 MapperSpoofy.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Volumeid.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 4368 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{76759EB2-89A6-4363-BB78-478BB25215C9} msedge.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 5152 reg.exe 4512 reg.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 4496 msedge.exe 4496 msedge.exe 5080 msedge.exe 5080 msedge.exe 3252 identity_helper.exe 3252 identity_helper.exe 4512 msedge.exe 4512 msedge.exe 5616 MapperSpoofy.exe 5616 MapperSpoofy.exe 556 msedge.exe 556 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe 3992 msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4368 taskkill.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5616 MapperSpoofy.exe 2356 AMIDEWINx64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5080 wrote to memory of 4072 5080 msedge.exe 84 PID 5080 wrote to memory of 4072 5080 msedge.exe 84 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 1380 5080 msedge.exe 86 PID 5080 wrote to memory of 4496 5080 msedge.exe 87 PID 5080 wrote to memory of 4496 5080 msedge.exe 87 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88 PID 5080 wrote to memory of 4360 5080 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ALEHACKsp/Valorant-Spoofer1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff381446f8,0x7fff38144708,0x7fff381447182⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:1380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵PID:3980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5624 /prefetch:82⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵PID:5228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:12⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6556 /prefetch:82⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5616 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:12⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:12⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:1276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵PID:716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:12⤵PID:4060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,12235229359602898094,4882461349719023057,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3736 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3992
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4268
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5568
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\MapperSpoofy.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\MapperSpoofy.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5616
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\Volumeid.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\Volumeid.exe"1⤵
- System Location Discovery: System Language Discovery
PID:6140
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\AMIDEWINx64.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\AMIDEWINx64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Valorant-Spoofer-main.zip\Valorant-Spoofer-main\FN.bat" "1⤵
- Enumerates connected drives
PID:5132 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:5140
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:3652
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵PID:3740
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23117 /f2⤵
- Modifies registry key
PID:4512
-
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 5599 /f2⤵
- Modifies registry key
PID:5152
-
-
C:\Windows\system32\reg.exereg delete"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security\" /f2⤵PID:5168
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵PID:1536
-
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵PID:4904
-
-
C:\Windows\system32\taskkill.exetaskkill /IM "EpicGamesLauncher.exe" /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5582d0ec0b80b2cab65126f1c64e141cb
SHA1bbbdab288c4f266e960842e68bacc2a8a823536b
SHA256b09752e1b25842e5061dbcf669e5fda2431ca371b47a40ac5bcfbe06037caf6a
SHA512a82c8faa67386a9e62a4a513b8f4d5d4ff56835a4c66d6d2b129de02da8a8485e37b4d6f53081e27bd9278113524e3d9d6b2bdc4a1cbe6b6dab98ebbb5514b4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD516de99418b4bae6f1ae95f0418ffa952
SHA128e25835f5cbec3821c6d3c54082577d4f5dd3c6
SHA2567733911cdc5978eff8532f4af4c0f32f227bcb3c1438debd8809024112fef480
SHA51232080f3f8f9d2f456470b78ee225890faf9acf1f13d23dda6791585cc11be766beb6c3453738cf588971f2abaa29845f57cdab66bf50509236248e66d794fab1
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
937B
MD5f19dac13021f20b49748740a0db8d1f9
SHA1bec5a7dfdbc20f073bcf216e65c6dc55e18b0884
SHA2564ac760a8d9bb34af2804204ba38d6bbc9f6769e348d0f623231fe3842758980e
SHA51261624d575212f0970c4e0025750479a02338d09d2a8699512841e0c0d982c9fa7355a1de844ffc5bd0312cb0693f7b0abbee1037f39df63ec356f190d3590fca
-
Filesize
1KB
MD59bd44af42e3a18378e7748d161a2dece
SHA1ad202c7f97819c4f54c6ab77772c3661be6e00d6
SHA2562960d842510f55fb06ac71540d1900771a3611cc3bbebf9e3729100c7dd4b5b0
SHA5129495035326ade0a9051d2029cfc5d6bc4a3a6e3606051073baa19583b1d6793672bb4ec318f8e1a97cf06d84228611dac043f8b489cb64d57b0bb290f3e91c8b
-
Filesize
1KB
MD54bae0af5581d5e41769beb3fe05f0aa2
SHA1e5e1cf8ab223ee20e47488658a39f4660d966bd1
SHA256a0bc3de8314ccef48222ebce8ad7278e3fd0a8de17da49ffeb27b66b9be365b1
SHA512dcf3faef4864fc1886c5baf416753bedf4103031de989e9a6d82a30a39c6e9642af92d188e6c5fbcce68218c9f475266287c49ee119411a1707fe029bd0d5319
-
Filesize
1KB
MD5d0302b5d300019af6d5ab4bdd68f66a2
SHA1d95783f4e69696b359b91ad88a0a1b1d60e1a048
SHA25611726b12e223e726dc11b793027b347d9346e6e83b2e8e5af3e7608fd670154a
SHA5120cdb0ab20d7deb553d2e350682bb46fdaad290aeb35efb55ef83a2653fcf2917891dbca12233613cc8eff8c70567c65422bb9efdef6c4718f8f6128d712a5369
-
Filesize
5KB
MD541ac39bb8c27474f79b7b0d1a7bc22f2
SHA1b96e2e8d726ec5bc0d08a4b23cb7fe08347fda33
SHA256fcf1a16d5c8bdc729841923de96de0f2c4893373e9cfb026e2dfb0d7a0554ef3
SHA512bf058e58a4a7d25ee1fe61bfcc657f76c17c7d6983dbb36659700cfb55eeb5d252963071fc7beda8fe17f2cbf6b8030399253951288a026d4b1940f30869acef
-
Filesize
6KB
MD54526e81757f988e807548022923a4cf6
SHA125d868aaed50a31df75b2e82cfffb2668b034088
SHA2562e42397cd77fd06a6fd90faac109e12c8bf99d3279db18e71d6e1239c4aabf67
SHA51237f98d041bf0dd653c2311809e8ad21ec5536fe72ebf47c9f6fa3c6a32cfd4631b0b1e49c0aff70f230187fb882c3bfa4190503a3ce80622670a2feb33bc1ee0
-
Filesize
7KB
MD593844b9b63e73920e9048e4a022d0a6e
SHA19d0eeca7144f60c248c1d2b4ced6d179c0660389
SHA25613ac286e595143dffd250b1d7206b941eda8242860c13b45adae53336a69b3d2
SHA51218be86e162d6655f65970084fa614731a0a4b1c867e4afede7d746d91e353b9fb901bd003c03533b457d67b280c14c1d3b95dce8d22ba3ea49814c4a50f5fe71
-
Filesize
9KB
MD541e076c7559358e2fdba94d1615d0f42
SHA1f7204462cbe67be129f716f10029550499e80e63
SHA256ce8836b13ed904f418a68a23a4098ae091efe825666210c250b67a70159a4447
SHA5121503f2954bdaa4620f8c957054962023eb114a0770315859a22d35298ba8fd3f78455e56e3219ceef8618f3ea53aed70d038cf81c8a9df882c3f8f1577125c7e
-
Filesize
1KB
MD5e6a73f38ecffeb787335fd97110f018e
SHA1814030af6488e6d747909ba6018d4ebb015d668e
SHA2565748e1ae3bb14b622f61f61ce18282fc4981145155b5552ea97afeedcca7bc3b
SHA51253fefccb6b4f021c42754b22f031445684ce766057186939681e3e2d425adbea85e90b8f2ba9985b39b94941675d55c65baa322732fd89a79d9815660627f84f
-
Filesize
1KB
MD5dd2b08b14c392c5514f3f968cc1dfe24
SHA1bed2a360cfb0bc2adcf3290d38fd754e21fd3bc3
SHA256aa9e97032fe9665eadd0360d73f1c4e16fa785c80c52b880181c666c590e5ee4
SHA512d8112d0a7f09d5d5fa575fb85cb44a115f637d6ad45d1091da2964da524481aa9f07379e9158ffc62fc948602be614698ea6267b87440048364f62eb08dd244e
-
Filesize
2KB
MD5b13ef2381e4888755986e7d44bb97bb4
SHA139efe3ba689ca2dd3f58de87920f6082a1bb91ef
SHA256eb3fd3bd5121c2c49c0d295c3105daa1346d113f5fcbbd9da81aad48db233f1b
SHA512498b60d4a4b835e7ef9ecec14c157b0f2d8f049c0abb8275e2754a7820d6550d2e9e4b245c84662c8f468e254791b61643fc1e861e2be477a4cdb58d7f597cf6
-
Filesize
1KB
MD50e1d40e1468e1b9fe2b0f33a39906ba8
SHA1e92cbe5ecd6e7d5748bff749c53e6ac778172b53
SHA2567336dae77f92afc98a38b560d8d5aa570d7bfeb8b1092e973edea779ab167a58
SHA512358067ae168b15a67c1ab30def593b34837b0cd56d068153b6aaa029b91933938a8965b68b986a4274c332ed2dc91a30f467abeada7b1219b3e28c6307b42dee
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a023e20e6f41938a0f928fb14cf43d52
SHA1a83cef597e8fd913ef72ac62a7e39eb801c278c1
SHA2563486712971b6a73d3550726464e98cf73d015028878e6cd8fc282e82d617d3cf
SHA512cbf5f50a39da642a9bfb36754f44b7462635f7cc4786f85876a4f3a9be99fb69532e7a545b477331246e450c152826e49226388d885273b8bcd0ae5c9aa0d5bd
-
Filesize
11KB
MD547befcff54b87180d5734be27126f462
SHA177231cda4dd34e47312631a51718357ebd3da969
SHA256681f36c01715d074465085fd51fe4bf68660c8071c3b2275f82889b668167e58
SHA51247457fb4a84955cc93bc46b1ac4b3338324f2ab0b2bfaab8ad9c8af0c2895ff7d5e13de8777b0c4f7eeefac6773a1d79895dfb8ac8339492df2e0262a0ecdf6c
-
Filesize
5.2MB
MD5ec0dab7fed03907adca447869cfe8252
SHA1546f3308503af8d92cd841210fe7fb71a17c661c
SHA25687e343bc7a031476674f7c325bbdd6a702b135ba52cafd375a49eb228f84716e
SHA5121ff97f6ce1172d5deb7b0c8d3fd88fd0196c34c9b28923dd0aca3820f357a8e3071b54e5b2310338938f4ea1893d076a236f76432a22444e22f20b0bf086caaa