Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8Resubmissions
03-07-2024 16:04
240703-thygmaycpc 1001-07-2024 18:12
240701-ws6xvswbkj 1001-07-2024 18:03
240701-wm5sls1gka 1001-07-2024 18:03
240701-wm39sa1gjf 1001-07-2024 18:03
240701-wm2e7avhkj 1001-07-2024 18:03
240701-wmzxcs1fre 1001-07-2024 18:02
240701-wmzats1frc 1001-07-2024 18:02
240701-wmvbwa1fqh 1022-11-2023 17:02
231122-vkac9adg64 10Analysis
-
max time kernel
1798s -
max time network
1814s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 13:14
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
1.bin/1.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3nanocoreqakbot86920224spx1291590734339appi0qiw9zagilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
2b5e50bc3077610128051bc3e657c3f0e331fb8fed2559c6596911890ea866ba.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
31.exe
Resource
win10v20201028
agenttesladanabotdharmaformbookgozi_rm3qakbot86920224spx1291590734339appi0qiw9zagilenetbankerbotnetcoreentitycryptoneevasionkeyloggerpackerpersistenceransomwareratrezer0spywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
agentteslaazorultplugxredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistencespywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
42f972925508a82236e8533567487761(1).exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
6a9e7107c97762eb1196a64baeadb291.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
HYDRA.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
KLwC6vii.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Keygen.exe
Resource
win10v20201028
asyncratazorultmodiloaderoskiraccoonremcos5e4db353b88c002ba6466c06437973619aad03b3xxxxxxxxxxxdiscoveryevasioninfostealerpersistenceratspywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral27
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral28
Sample
OnlineInstaller.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral29
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
agentteslaazorultredlinesmokeloadertofseexmrigbackdoorbootkitdiscoveryevasioninfostealerkeyloggermacrominerpersistenceransomwarespywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral31
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
42f972925508a82236e8533567487761.exe
Malware Config
Extracted
Family
warzonerat
C2
sandyclark255.hopto.org:5200
Extracted
Family
asyncrat
Version
0.5.6A
C2
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
Mutex
adweqsds56332
Attributes
-
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds56332
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
aes.plain
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\0V73UcVDnHUl.exe\",explorer.exe" svbhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\ZjuLIBviNzqy.exe\",explorer.exe" eIUVS8yneJWQc7wK.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload 1 IoCs
resource yara_rule behavioral9/memory/2388-80-0x0000000002890000-0x000000000289D000-memory.dmp asyncrat -
Warzone RAT Payload 3 IoCs
resource yara_rule behavioral9/memory/716-31-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral9/memory/716-32-0x0000000000405CE2-mapping.dmp warzonerat behavioral9/memory/716-35-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts svuhost.exe -
Executes dropped EXE 21 IoCs
pid Process 2684 Q84NaqkUOz1eNKMu.exe 184 eIUVS8yneJWQc7wK.exe 1800 C5LXgE2NTeA6vaqf.exe 2388 VliD6S25vjFhrcLj.exe 1312 RktTKislQvYnnKdo.exe 1352 YKbXlrzv2bnCPERW.exe 3804 svthost.exe 716 eridjeht.exe 3932 svrhost.exe 1620 svehosts.exe 1248 svbhost.exe 2856 svbhost.exe 1204 svbhost.exe 1308 svuhost.exe 1220 svuhost.exe 2968 svuhost.exe 3296 excelsl.exe 996 svuhost.exe 1088 svbhost.exe 1608 svbhost.exe 3536 prndrvest.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation svuhost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 576 set thread context of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 1312 set thread context of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1352 set thread context of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 184 set thread context of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 1800 set thread context of 2968 1800 C5LXgE2NTeA6vaqf.exe 97 PID 3296 set thread context of 996 3296 excelsl.exe 104 PID 1204 set thread context of 1608 1204 svbhost.exe 108 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svehosts.exe Q84NaqkUOz1eNKMu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 2204 576 WerFault.exe 67 3424 1312 WerFault.exe 82 3172 1352 WerFault.exe 83 492 1800 WerFault.exe 80 3820 3296 WerFault.exe 100 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3936 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 188 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance svuhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 576 42f972925508a82236e8533567487761.exe 576 42f972925508a82236e8533567487761.exe 576 42f972925508a82236e8533567487761.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 1312 RktTKislQvYnnKdo.exe 1312 RktTKislQvYnnKdo.exe 1312 RktTKislQvYnnKdo.exe 1352 YKbXlrzv2bnCPERW.exe 1352 YKbXlrzv2bnCPERW.exe 1352 YKbXlrzv2bnCPERW.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3424 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 3172 WerFault.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 184 eIUVS8yneJWQc7wK.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe 1800 C5LXgE2NTeA6vaqf.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3932 svrhost.exe 2856 svbhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 576 42f972925508a82236e8533567487761.exe Token: SeDebugPrivilege 576 42f972925508a82236e8533567487761.exe Token: SeRestorePrivilege 2204 WerFault.exe Token: SeBackupPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 2684 Q84NaqkUOz1eNKMu.exe Token: SeDebugPrivilege 2684 Q84NaqkUOz1eNKMu.exe Token: SeDebugPrivilege 2204 WerFault.exe Token: SeDebugPrivilege 1312 RktTKislQvYnnKdo.exe Token: SeDebugPrivilege 1352 YKbXlrzv2bnCPERW.exe Token: SeDebugPrivilege 3424 WerFault.exe Token: SeDebugPrivilege 3172 WerFault.exe Token: SeDebugPrivilege 2388 VliD6S25vjFhrcLj.exe Token: SeDebugPrivilege 184 eIUVS8yneJWQc7wK.exe Token: SeDebugPrivilege 184 eIUVS8yneJWQc7wK.exe Token: SeDebugPrivilege 1800 C5LXgE2NTeA6vaqf.exe Token: SeShutdownPrivilege 2856 svbhost.exe Token: SeDebugPrivilege 2856 svbhost.exe Token: SeTcbPrivilege 2856 svbhost.exe Token: SeDebugPrivilege 1620 svehosts.exe Token: SeDebugPrivilege 1620 svehosts.exe Token: SeIncreaseQuotaPrivilege 2968 svuhost.exe Token: SeSecurityPrivilege 2968 svuhost.exe Token: SeTakeOwnershipPrivilege 2968 svuhost.exe Token: SeLoadDriverPrivilege 2968 svuhost.exe Token: SeSystemProfilePrivilege 2968 svuhost.exe Token: SeSystemtimePrivilege 2968 svuhost.exe Token: SeProfSingleProcessPrivilege 2968 svuhost.exe Token: SeIncBasePriorityPrivilege 2968 svuhost.exe Token: SeCreatePagefilePrivilege 2968 svuhost.exe Token: SeBackupPrivilege 2968 svuhost.exe Token: SeRestorePrivilege 2968 svuhost.exe Token: SeShutdownPrivilege 2968 svuhost.exe Token: SeDebugPrivilege 2968 svuhost.exe Token: SeSystemEnvironmentPrivilege 2968 svuhost.exe Token: SeChangeNotifyPrivilege 2968 svuhost.exe Token: SeRemoteShutdownPrivilege 2968 svuhost.exe Token: SeUndockPrivilege 2968 svuhost.exe Token: SeManageVolumePrivilege 2968 svuhost.exe Token: SeImpersonatePrivilege 2968 svuhost.exe Token: SeCreateGlobalPrivilege 2968 svuhost.exe Token: 33 2968 svuhost.exe Token: 34 2968 svuhost.exe Token: 35 2968 svuhost.exe Token: 36 2968 svuhost.exe Token: SeDebugPrivilege 492 WerFault.exe Token: SeDebugPrivilege 3296 excelsl.exe Token: SeDebugPrivilege 1204 svbhost.exe Token: SeIncreaseQuotaPrivilege 996 svuhost.exe Token: SeSecurityPrivilege 996 svuhost.exe Token: SeTakeOwnershipPrivilege 996 svuhost.exe Token: SeLoadDriverPrivilege 996 svuhost.exe Token: SeSystemProfilePrivilege 996 svuhost.exe Token: SeSystemtimePrivilege 996 svuhost.exe Token: SeProfSingleProcessPrivilege 996 svuhost.exe Token: SeIncBasePriorityPrivilege 996 svuhost.exe Token: SeCreatePagefilePrivilege 996 svuhost.exe Token: SeBackupPrivilege 996 svuhost.exe Token: SeDebugPrivilege 1204 svbhost.exe Token: SeRestorePrivilege 996 svuhost.exe Token: SeShutdownPrivilege 996 svuhost.exe Token: SeDebugPrivilege 996 svuhost.exe Token: SeSystemEnvironmentPrivilege 996 svuhost.exe Token: SeChangeNotifyPrivilege 996 svuhost.exe Token: SeRemoteShutdownPrivilege 996 svuhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2856 svbhost.exe 996 svuhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe 78 PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe 78 PID 576 wrote to memory of 2684 576 42f972925508a82236e8533567487761.exe 78 PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe 79 PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe 79 PID 576 wrote to memory of 184 576 42f972925508a82236e8533567487761.exe 79 PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe 80 PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe 80 PID 576 wrote to memory of 1800 576 42f972925508a82236e8533567487761.exe 80 PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe 81 PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe 81 PID 576 wrote to memory of 2388 576 42f972925508a82236e8533567487761.exe 81 PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe 82 PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe 82 PID 576 wrote to memory of 1312 576 42f972925508a82236e8533567487761.exe 82 PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe 83 PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe 83 PID 576 wrote to memory of 1352 576 42f972925508a82236e8533567487761.exe 83 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 576 wrote to memory of 3804 576 42f972925508a82236e8533567487761.exe 84 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1312 wrote to memory of 716 1312 RktTKislQvYnnKdo.exe 87 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 1352 wrote to memory of 3932 1352 YKbXlrzv2bnCPERW.exe 89 PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe 91 PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe 91 PID 2684 wrote to memory of 1620 2684 Q84NaqkUOz1eNKMu.exe 91 PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe 92 PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe 92 PID 184 wrote to memory of 1248 184 eIUVS8yneJWQc7wK.exe 92 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93 PID 184 wrote to memory of 2856 184 eIUVS8yneJWQc7wK.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exe"C:\Users\Admin\AppData\Local\Temp\Q84NaqkUOz1eNKMu.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\svehosts.exe"C:\Windows\svehosts.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE4⤵PID:3560
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exe"C:\Users\Admin\AppData\Local\Temp\eIUVS8yneJWQc7wK.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"3⤵
- Executes dropped EXE
PID:1248
-
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2856 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 28564⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"5⤵
- Executes dropped EXE
PID:1088
-
-
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"5⤵
- Executes dropped EXE
PID:1608
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exe"C:\Users\Admin\AppData\Local\Temp\C5LXgE2NTeA6vaqf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"3⤵
- Executes dropped EXE
PID:1308
-
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"3⤵
- Executes dropped EXE
PID:1220
-
-
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:3532
-
-
C:\Users\Admin\Documents\excelsl.exe"C:\Users\Admin\Documents\excelsl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:996 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:580
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 10725⤵
- Program crash
PID:3820
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 10843⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:492
-
-
-
C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exe"C:\Users\Admin\AppData\Local\Temp\VliD6S25vjFhrcLj.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'3⤵
- Creates scheduled task(s)
PID:3936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5724.tmp.bat""3⤵PID:1320
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:188
-
-
C:\Users\Admin\AppData\Roaming\prndrvest.exe"C:\Users\Admin\AppData\Roaming\prndrvest.exe"4⤵
- Executes dropped EXE
PID:3536
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exe"C:\Users\Admin\AppData\Local\Temp\RktTKislQvYnnKdo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"3⤵
- Executes dropped EXE
PID:716
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 10683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exe"C:\Users\Admin\AppData\Local\Temp\YKbXlrzv2bnCPERW.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 10683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172
-
-
-
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"2⤵
- Executes dropped EXE
PID:3804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 15762⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204
-