Malware Analysis Report

2024-09-22 11:40

Sample ID 240321-jydgaagd5x
Target Vencord.exe
SHA256 00ce6c60c382436b7c8b9ddb94fbcf88e940c1ab94706555949393718bc1752e
Tags
vencord remcos persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00ce6c60c382436b7c8b9ddb94fbcf88e940c1ab94706555949393718bc1752e

Threat Level: Known bad

The file Vencord.exe was found to be: Known bad.

Malicious Activity Summary

vencord remcos persistence rat

Remcos

Remcos family

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-21 08:04

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 08:04

Reported

2024-03-21 08:06

Platform

win7-20240220-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vencord.exe"

Signatures

Remcos

rat remcos

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\System64\scvhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\System64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
File opened for modification C:\Windows\SysWOW64\System64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2564 set thread context of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2984 set thread context of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2140 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1648 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2260 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2360 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2152 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1612 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 3040 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2792 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1668 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2592 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2064 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 696 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 596 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 276 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 3004 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2104 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1432 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1608 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1552 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1592 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1012 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2292 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1952 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1272 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2052 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1744 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2164 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2704 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2576 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 3008 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2656 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2408 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2384 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 780 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2888 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2424 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2588 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2788 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2712 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 860 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1916 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1936 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1456 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1708 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2216 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 1856 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 600 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 592 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 set thread context of 2240 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 1028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 1028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 1028 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 2464 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2580 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2580 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 2580 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 2580 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 2580 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 2564 wrote to memory of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2564 wrote to memory of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2564 wrote to memory of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2564 wrote to memory of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2564 wrote to memory of 2984 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 2984 wrote to memory of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2532 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2544 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2436 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2932 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2616 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2632 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2728 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2140 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 2984 wrote to memory of 2140 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vencord.exe

"C:\Users\Admin\AppData\Local\Temp\Vencord.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\System64\scvhost.exe"

C:\Windows\SysWOW64\System64\scvhost.exe

C:\Windows\SysWOW64\System64\scvhost.exe

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 aa3bb02fdbe0aed95d2adf0ef033c2be
SHA1 002f7db7d5e7d368d27d7b1efd1a4f571fac1740
SHA256 d2f9e454aa3a7e614f38219f333420f2ac7963fffafccf3105929c280274de59
SHA512 3a49dfd9d827efdab3abf6220375ba921dde0772bba2b0674ed2562da27853f0df0b786f26c233ca96d8d89c1c95489330c3aea07e62c0b0a6ed716324d8c913

\Windows\SysWOW64\System64\scvhost.exe

MD5 e206c8908d5c24a3dda14322807d8e50
SHA1 144d9d69ba30e08dbe79ac3fae47e7c88aedb448
SHA256 00ce6c60c382436b7c8b9ddb94fbcf88e940c1ab94706555949393718bc1752e
SHA512 9c2ab2d8b6b5b72029ee2c8b34648abde2fa8166fcdd0c0532a720eeb908ad75cb99bbf4e747c314321f7872f92ba8657000c1231084c08a058f24035b752479

memory/2984-11-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2984-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-13-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2984-14-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2984-16-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2532-21-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2984-17-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2532-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-18-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2532-24-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2532-23-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2544-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2544-30-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2436-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2436-36-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2932-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2932-42-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2904-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2904-45-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/2904-47-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/2904-48-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/2616-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2616-54-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2632-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-60-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2772-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-63-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/2772-65-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/2772-66-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/2728-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2728-69-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/2728-71-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/2728-72-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/2140-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2140-78-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2984-79-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/1648-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1648-82-0x0000000000190000-0x000000000020F000-memory.dmp

memory/1648-84-0x0000000000190000-0x000000000020F000-memory.dmp

memory/1648-85-0x0000000000190000-0x000000000020F000-memory.dmp

memory/1728-93-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/2260-99-0x0000000000170000-0x00000000001EF000-memory.dmp

memory/2360-105-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2152-111-0x0000000000190000-0x000000000020F000-memory.dmp

memory/1612-117-0x0000000000220000-0x000000000029F000-memory.dmp

memory/3040-123-0x0000000000130000-0x00000000001AF000-memory.dmp

memory/2792-129-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/1668-135-0x00000000000C0000-0x000000000013F000-memory.dmp

memory/2592-141-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2064-147-0x00000000001E0000-0x000000000025F000-memory.dmp

memory/696-153-0x0000000000090000-0x000000000010F000-memory.dmp

memory/596-161-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/276-167-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/3004-173-0x0000000000130000-0x00000000001AF000-memory.dmp

memory/2104-179-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/1432-185-0x0000000000150000-0x00000000001CF000-memory.dmp

memory/1608-191-0x00000000001A0000-0x000000000021F000-memory.dmp

memory/1552-197-0x0000000000160000-0x00000000001DF000-memory.dmp

memory/1592-203-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/1012-209-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2292-215-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/1952-221-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/1272-229-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2052-235-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/1440-241-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/1744-247-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/2164-253-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/1536-259-0x0000000000110000-0x000000000018F000-memory.dmp

memory/2704-265-0x00000000001D0000-0x000000000024F000-memory.dmp

memory/2576-271-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/3008-277-0x0000000000110000-0x000000000018F000-memory.dmp

memory/2656-283-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/2408-289-0x00000000000C0000-0x000000000013F000-memory.dmp

memory/2384-297-0x00000000000D0000-0x000000000014F000-memory.dmp

memory/780-303-0x0000000000130000-0x00000000001AF000-memory.dmp

memory/2888-309-0x0000000000110000-0x000000000018F000-memory.dmp

memory/2424-315-0x0000000000110000-0x000000000018F000-memory.dmp

memory/2588-321-0x00000000000C0000-0x000000000013F000-memory.dmp

memory/2788-327-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2712-333-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/860-339-0x00000000000F0000-0x000000000016F000-memory.dmp

memory/1916-345-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/1936-351-0x0000000000150000-0x00000000001CF000-memory.dmp

memory/1932-357-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/2144-365-0x0000000000100000-0x000000000017F000-memory.dmp

memory/1456-371-0x0000000000170000-0x00000000001EF000-memory.dmp

memory/1708-377-0x00000000000C0000-0x000000000013F000-memory.dmp

memory/2216-383-0x0000000000130000-0x00000000001AF000-memory.dmp

memory/1856-389-0x00000000000C0000-0x000000000013F000-memory.dmp

memory/600-395-0x0000000000080000-0x00000000000FF000-memory.dmp

memory/592-401-0x0000000000080000-0x00000000000FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 08:04

Reported

2024-03-21 08:06

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vencord.exe"

Signatures

Remcos

rat remcos

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\System64\scvhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" C:\Windows\SysWOW64\System64\scvhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DiscordUpdate = "\"C:\\Windows\\SysWOW64\\System64\\scvhost.exe\"" \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\System64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
File opened for modification C:\Windows\SysWOW64\System64\scvhost.exe C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4772 set thread context of 1564 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1564 set thread context of 1348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4476 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3684 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4324 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1496 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3152 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1388 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3112 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4792 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3876 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4200 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4244 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4984 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2920 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1156 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 752 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3104 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2548 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4904 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3968 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4128 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3008 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4960 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2340 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4064 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2620 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3400 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3860 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2772 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2496 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3996 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4652 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4752 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3704 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 3456 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1704 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4020 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1336 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1600 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1812 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4988 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1060 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1980 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 1252 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2452 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 5016 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2892 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 4992 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 set thread context of 2588 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Vencord.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\System64\scvhost.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A
N/A N/A \??\c:\program files (x86)\internet explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 3052 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\Vencord.exe C:\Windows\SysWOW64\WScript.exe
PID 3008 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3608 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 3608 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 3608 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\System64\scvhost.exe
PID 4772 wrote to memory of 1564 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4772 wrote to memory of 1564 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4772 wrote to memory of 1564 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 4772 wrote to memory of 1564 N/A C:\Windows\SysWOW64\System64\scvhost.exe \??\c:\program files (x86)\internet explorer\iexplore.exe
PID 1564 wrote to memory of 1348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1348 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3144 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3948 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2444 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4476 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4476 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4476 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4476 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3684 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3684 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3684 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 3684 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4560 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4324 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4324 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4324 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 4324 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 440 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 2740 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 536 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1496 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1496 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe
PID 1564 wrote to memory of 1496 N/A \??\c:\program files (x86)\internet explorer\iexplore.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vencord.exe

"C:\Users\Admin\AppData\Local\Temp\Vencord.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\System64\scvhost.exe"

C:\Windows\SysWOW64\System64\scvhost.exe

C:\Windows\SysWOW64\System64\scvhost.exe

\??\c:\program files (x86)\internet explorer\iexplore.exe

"c:\program files (x86)\internet explorer\iexplore.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\System32\wezuc9.exe

"C:\Windows\System32\wezuc9.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\System64\scvhost.exe

"C:\Windows\SysWOW64\System64\scvhost.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.18:52136 tcp
US 147.185.221.18:52136 tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5 aa3bb02fdbe0aed95d2adf0ef033c2be
SHA1 002f7db7d5e7d368d27d7b1efd1a4f571fac1740
SHA256 d2f9e454aa3a7e614f38219f333420f2ac7963fffafccf3105929c280274de59
SHA512 3a49dfd9d827efdab3abf6220375ba921dde0772bba2b0674ed2562da27853f0df0b786f26c233ca96d8d89c1c95489330c3aea07e62c0b0a6ed716324d8c913

C:\Windows\SysWOW64\System64\scvhost.exe

MD5 e206c8908d5c24a3dda14322807d8e50
SHA1 144d9d69ba30e08dbe79ac3fae47e7c88aedb448
SHA256 00ce6c60c382436b7c8b9ddb94fbcf88e940c1ab94706555949393718bc1752e
SHA512 9c2ab2d8b6b5b72029ee2c8b34648abde2fa8166fcdd0c0532a720eeb908ad75cb99bbf4e747c314321f7872f92ba8657000c1231084c08a058f24035b752479

memory/1564-8-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1564-9-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1564-10-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1564-11-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1564-13-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1348-14-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/1564-15-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1348-16-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/1348-17-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/1348-18-0x0000000000180000-0x00000000001FF000-memory.dmp

memory/3144-19-0x0000000000420000-0x000000000049F000-memory.dmp

memory/3144-20-0x0000000000420000-0x000000000049F000-memory.dmp

memory/3144-21-0x0000000000420000-0x000000000049F000-memory.dmp

memory/3144-22-0x0000000000420000-0x000000000049F000-memory.dmp

memory/3948-23-0x0000000001200000-0x000000000127F000-memory.dmp

memory/3948-24-0x0000000001200000-0x000000000127F000-memory.dmp

memory/3948-25-0x0000000001200000-0x000000000127F000-memory.dmp

memory/3948-26-0x0000000001200000-0x000000000127F000-memory.dmp

memory/2444-27-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/2444-28-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/2444-29-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/2444-30-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/4476-31-0x0000000000C00000-0x0000000000C7F000-memory.dmp

memory/4476-32-0x0000000000C00000-0x0000000000C7F000-memory.dmp

memory/4476-33-0x0000000000C00000-0x0000000000C7F000-memory.dmp

memory/4476-34-0x0000000000C00000-0x0000000000C7F000-memory.dmp

memory/3684-35-0x0000000000800000-0x000000000087F000-memory.dmp

memory/3684-36-0x0000000000800000-0x000000000087F000-memory.dmp

memory/3684-37-0x0000000000800000-0x000000000087F000-memory.dmp

memory/3684-38-0x0000000000800000-0x000000000087F000-memory.dmp

memory/1536-39-0x0000000000B70000-0x0000000000BEF000-memory.dmp

memory/1536-40-0x0000000000B70000-0x0000000000BEF000-memory.dmp

memory/1536-41-0x0000000000B70000-0x0000000000BEF000-memory.dmp

memory/1536-42-0x0000000000B70000-0x0000000000BEF000-memory.dmp

memory/4560-43-0x0000000000730000-0x00000000007AF000-memory.dmp

memory/4560-44-0x0000000000730000-0x00000000007AF000-memory.dmp

memory/4560-45-0x0000000000730000-0x00000000007AF000-memory.dmp

memory/4560-46-0x0000000000730000-0x00000000007AF000-memory.dmp

memory/4324-48-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/4324-49-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/4324-50-0x0000000000ED0000-0x0000000000F4F000-memory.dmp

memory/440-51-0x0000000000E80000-0x0000000000EFF000-memory.dmp

memory/440-52-0x0000000000E80000-0x0000000000EFF000-memory.dmp

memory/440-53-0x0000000000E80000-0x0000000000EFF000-memory.dmp

memory/440-55-0x0000000000E80000-0x0000000000EFF000-memory.dmp

memory/1564-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/2740-56-0x0000000000A40000-0x0000000000ABF000-memory.dmp

memory/2740-57-0x0000000000A40000-0x0000000000ABF000-memory.dmp

memory/2740-58-0x0000000000A40000-0x0000000000ABF000-memory.dmp

memory/2740-59-0x0000000000A40000-0x0000000000ABF000-memory.dmp

memory/1564-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1564-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/536-62-0x0000000000610000-0x000000000068F000-memory.dmp

memory/536-63-0x0000000000610000-0x000000000068F000-memory.dmp

memory/536-64-0x0000000000610000-0x000000000068F000-memory.dmp

memory/536-65-0x0000000000610000-0x000000000068F000-memory.dmp

memory/1496-66-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/1496-67-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/1496-68-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/1496-69-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/3948-70-0x0000000001200000-0x000000000127F000-memory.dmp

memory/3152-71-0x0000000000D10000-0x0000000000D8F000-memory.dmp

memory/3152-72-0x0000000000D10000-0x0000000000D8F000-memory.dmp

memory/3152-73-0x0000000000D10000-0x0000000000D8F000-memory.dmp

memory/3152-74-0x0000000000D10000-0x0000000000D8F000-memory.dmp

memory/4444-75-0x0000000001240000-0x00000000012BF000-memory.dmp

memory/4444-76-0x0000000001240000-0x00000000012BF000-memory.dmp

memory/4444-77-0x0000000001240000-0x00000000012BF000-memory.dmp

memory/4444-78-0x0000000001240000-0x00000000012BF000-memory.dmp

memory/1388-79-0x0000000000E10000-0x0000000000E8F000-memory.dmp

memory/1388-80-0x0000000000E10000-0x0000000000E8F000-memory.dmp

memory/1388-81-0x0000000000E10000-0x0000000000E8F000-memory.dmp

memory/1388-82-0x0000000000E10000-0x0000000000E8F000-memory.dmp

memory/3112-83-0x0000000000DF0000-0x0000000000E6F000-memory.dmp

memory/3112-84-0x0000000000DF0000-0x0000000000E6F000-memory.dmp

memory/3112-85-0x0000000000DF0000-0x0000000000E6F000-memory.dmp

memory/3112-86-0x0000000000DF0000-0x0000000000E6F000-memory.dmp

memory/4792-88-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/4792-89-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/4560-90-0x0000000000730000-0x00000000007AF000-memory.dmp

memory/4792-91-0x0000000000EC0000-0x0000000000F3F000-memory.dmp

memory/3876-92-0x0000000000CE0000-0x0000000000D5F000-memory.dmp

memory/3876-95-0x0000000000CE0000-0x0000000000D5F000-memory.dmp

memory/4200-99-0x0000000000E00000-0x0000000000E7F000-memory.dmp

memory/4244-103-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4984-107-0x0000000000920000-0x000000000099F000-memory.dmp

memory/2920-113-0x0000000000450000-0x00000000004CF000-memory.dmp

memory/1156-117-0x00000000012D0000-0x000000000134F000-memory.dmp

memory/4948-121-0x0000000000A00000-0x0000000000A7F000-memory.dmp

memory/752-125-0x0000000000D60000-0x0000000000DDF000-memory.dmp

memory/1948-129-0x0000000000C20000-0x0000000000C9F000-memory.dmp

memory/3104-133-0x0000000000F10000-0x0000000000F8F000-memory.dmp

memory/2548-137-0x0000000000530000-0x00000000005AF000-memory.dmp

memory/4904-141-0x0000000000A60000-0x0000000000ADF000-memory.dmp

memory/3968-145-0x0000000000600000-0x000000000067F000-memory.dmp

memory/4128-149-0x0000000000600000-0x000000000067F000-memory.dmp

memory/3008-166-0x00000000004A0000-0x000000000051F000-memory.dmp

memory/4960-172-0x0000000000470000-0x00000000004EF000-memory.dmp

memory/2340-176-0x0000000000C90000-0x0000000000D0F000-memory.dmp

memory/4064-180-0x0000000000760000-0x00000000007DF000-memory.dmp

memory/4892-184-0x0000000000810000-0x000000000088F000-memory.dmp

memory/2620-188-0x0000000000110000-0x000000000018F000-memory.dmp

memory/3400-192-0x0000000000E00000-0x0000000000E7F000-memory.dmp

memory/3860-196-0x0000000000600000-0x000000000067F000-memory.dmp

memory/2772-200-0x0000000000870000-0x00000000008EF000-memory.dmp

memory/2496-204-0x0000000000A80000-0x0000000000AFF000-memory.dmp

memory/3996-208-0x0000000000E00000-0x0000000000E7F000-memory.dmp

memory/4652-212-0x00000000012E0000-0x000000000135F000-memory.dmp

memory/3536-218-0x0000000000110000-0x000000000018F000-memory.dmp

memory/4752-222-0x0000000000D90000-0x0000000000E0F000-memory.dmp

memory/3704-226-0x0000000000E00000-0x0000000000E7F000-memory.dmp

memory/740-230-0x0000000000AF0000-0x0000000000B6F000-memory.dmp

memory/3456-234-0x00000000012A0000-0x000000000131F000-memory.dmp

memory/1704-238-0x0000000001200000-0x000000000127F000-memory.dmp

memory/4020-242-0x0000000000410000-0x000000000048F000-memory.dmp

memory/1336-246-0x0000000000E00000-0x0000000000E7F000-memory.dmp

memory/1600-250-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1812-254-0x0000000000370000-0x00000000003EF000-memory.dmp

memory/4988-258-0x0000000000D20000-0x0000000000D9F000-memory.dmp

memory/1060-264-0x0000000000EA0000-0x0000000000F1F000-memory.dmp

memory/1980-268-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1252-272-0x0000000000900000-0x000000000097F000-memory.dmp

memory/2452-276-0x0000000000950000-0x00000000009CF000-memory.dmp

memory/3456-277-0x00000000012A0000-0x000000000131F000-memory.dmp

memory/5016-281-0x0000000000B70000-0x0000000000BEF000-memory.dmp