Overview
overview
10Static
static
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
9ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
ฺฺฺK...ฺฺ
windows10_x64
Analysis
-
max time kernel
1802s -
max time network
1816s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-11-2020 14:34
Static task
static1
Behavioral task
behavioral1
Sample
08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.exe.dll
Resource
win10v20201028
Behavioral task
behavioral2
Sample
0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
0di3x.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.exe.dll
Resource
win10v20201028
Behavioral task
behavioral14
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral16
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
KLwC6vii.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
SecuriteInfo.com.Generic.mg.cde56cf0169830ee.29869.dll
Resource
win10v20201028
Behavioral task
behavioral28
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral32
Sample
Yard.dll
Resource
win10v20201028
General
-
Target
42f972925508a82236e8533567487761.exe
Malware Config
Extracted
warzonerat
sandyclark255.hopto.org:5200
Extracted
asyncrat
0.5.6A
sandyclark255.hopto.org:6606
sandyclark255.hopto.org:8808
sandyclark255.hopto.org:7707
adweqsds56332
-
aes_key
DStgwPf5qCYAcWWcPg3CaZBkDbYF3HQo
-
anti_detection
true
-
autorun
true
-
bdos
false
- delay
-
host
sandyclark255.hopto.org
- hwid
- install_file
-
install_folder
%AppData%
-
mutex
adweqsds56332
-
pastebin_config
null
-
port
6606,8808,7707
-
version
0.5.6A
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\8tXl3oO33iYD.exe\",explorer.exe" svbhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\rOpvyoxaeDUa.exe\",explorer.exe" DONRS8eiyuFBBYxo.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload 1 IoCs
resource yara_rule behavioral8/memory/3176-186-0x00000000046F0000-0x00000000046FD000-memory.dmp asyncrat -
Warzone RAT Payload 3 IoCs
resource yara_rule behavioral8/memory/1188-63-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat behavioral8/memory/1188-65-0x0000000000405CE2-mapping.dmp warzonerat behavioral8/memory/1188-69-0x0000000000400000-0x0000000000554000-memory.dmp warzonerat -
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts svuhost.exe -
Executes dropped EXE 17 IoCs
pid Process 3904 JMFP8QdaZdxQNSTc.exe 4032 DONRS8eiyuFBBYxo.exe 2144 FsWGELHnfs75nUAX.exe 3176 nfNIRPKNTDlm5w3t.exe 4360 oj6nKcf8t6QM1cww.exe 3816 xoygXxPNEjZfHSwN.exe 4464 svthost.exe 1188 eridjeht.exe 2168 svbhost.exe 2444 svbhost.exe 2616 svrhost.exe 4544 svehosts.exe 4156 svuhost.exe 8 excelsl.exe 1276 svbhost.exe 3100 svuhost.exe 1452 prndrvest.exe -
Modifies Windows Firewall 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation svuhost.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe svehosts.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" svuhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." svehosts.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4720 set thread context of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4360 set thread context of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4032 set thread context of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 3816 set thread context of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 2144 set thread context of 4156 2144 FsWGELHnfs75nUAX.exe 95 PID 2444 set thread context of 1276 2444 svbhost.exe 99 PID 8 set thread context of 3100 8 excelsl.exe 100 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\svehosts.exe JMFP8QdaZdxQNSTc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 4484 4720 WerFault.exe 67 1568 4360 WerFault.exe 82 4320 3816 WerFault.exe 83 4840 2144 WerFault.exe 80 3972 8 WerFault.exe 98 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4412 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1248 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance svuhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4720 42f972925508a82236e8533567487761.exe 4720 42f972925508a82236e8533567487761.exe 4720 42f972925508a82236e8533567487761.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4484 WerFault.exe 4360 oj6nKcf8t6QM1cww.exe 4360 oj6nKcf8t6QM1cww.exe 4360 oj6nKcf8t6QM1cww.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 1568 WerFault.exe 4032 DONRS8eiyuFBBYxo.exe 4032 DONRS8eiyuFBBYxo.exe 3816 xoygXxPNEjZfHSwN.exe 3816 xoygXxPNEjZfHSwN.exe 3816 xoygXxPNEjZfHSwN.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 4320 WerFault.exe 2144 FsWGELHnfs75nUAX.exe 2144 FsWGELHnfs75nUAX.exe 2144 FsWGELHnfs75nUAX.exe 4840 WerFault.exe 4840 WerFault.exe 4840 WerFault.exe 4840 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 2616 svrhost.exe 2168 svbhost.exe 3100 svuhost.exe 4544 svehosts.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4720 42f972925508a82236e8533567487761.exe Token: SeDebugPrivilege 4720 42f972925508a82236e8533567487761.exe Token: SeRestorePrivilege 4484 WerFault.exe Token: SeBackupPrivilege 4484 WerFault.exe Token: SeDebugPrivilege 4484 WerFault.exe Token: SeDebugPrivilege 3904 JMFP8QdaZdxQNSTc.exe Token: SeDebugPrivilege 3904 JMFP8QdaZdxQNSTc.exe Token: SeDebugPrivilege 4360 oj6nKcf8t6QM1cww.exe Token: SeDebugPrivilege 4032 DONRS8eiyuFBBYxo.exe Token: SeDebugPrivilege 4032 DONRS8eiyuFBBYxo.exe Token: SeDebugPrivilege 1568 WerFault.exe Token: SeShutdownPrivilege 2168 svbhost.exe Token: SeDebugPrivilege 2168 svbhost.exe Token: SeTcbPrivilege 2168 svbhost.exe Token: SeDebugPrivilege 3816 xoygXxPNEjZfHSwN.exe Token: SeDebugPrivilege 3176 nfNIRPKNTDlm5w3t.exe Token: SeDebugPrivilege 4320 WerFault.exe Token: SeDebugPrivilege 2144 FsWGELHnfs75nUAX.exe Token: SeIncreaseQuotaPrivilege 4156 svuhost.exe Token: SeSecurityPrivilege 4156 svuhost.exe Token: SeTakeOwnershipPrivilege 4156 svuhost.exe Token: SeLoadDriverPrivilege 4156 svuhost.exe Token: SeSystemProfilePrivilege 4156 svuhost.exe Token: SeSystemtimePrivilege 4156 svuhost.exe Token: SeProfSingleProcessPrivilege 4156 svuhost.exe Token: SeIncBasePriorityPrivilege 4156 svuhost.exe Token: SeCreatePagefilePrivilege 4156 svuhost.exe Token: SeBackupPrivilege 4156 svuhost.exe Token: SeRestorePrivilege 4156 svuhost.exe Token: SeShutdownPrivilege 4156 svuhost.exe Token: SeDebugPrivilege 4156 svuhost.exe Token: SeSystemEnvironmentPrivilege 4156 svuhost.exe Token: SeChangeNotifyPrivilege 4156 svuhost.exe Token: SeRemoteShutdownPrivilege 4156 svuhost.exe Token: SeUndockPrivilege 4156 svuhost.exe Token: SeManageVolumePrivilege 4156 svuhost.exe Token: SeImpersonatePrivilege 4156 svuhost.exe Token: SeCreateGlobalPrivilege 4156 svuhost.exe Token: 33 4156 svuhost.exe Token: 34 4156 svuhost.exe Token: 35 4156 svuhost.exe Token: 36 4156 svuhost.exe Token: SeDebugPrivilege 2444 svbhost.exe Token: SeDebugPrivilege 4840 WerFault.exe Token: SeDebugPrivilege 2444 svbhost.exe Token: SeDebugPrivilege 4544 svehosts.exe Token: SeDebugPrivilege 4544 svehosts.exe Token: SeShutdownPrivilege 1276 svbhost.exe Token: SeDebugPrivilege 1276 svbhost.exe Token: SeTcbPrivilege 1276 svbhost.exe Token: SeDebugPrivilege 8 excelsl.exe Token: SeIncreaseQuotaPrivilege 3100 svuhost.exe Token: SeSecurityPrivilege 3100 svuhost.exe Token: SeTakeOwnershipPrivilege 3100 svuhost.exe Token: SeLoadDriverPrivilege 3100 svuhost.exe Token: SeSystemProfilePrivilege 3100 svuhost.exe Token: SeSystemtimePrivilege 3100 svuhost.exe Token: SeProfSingleProcessPrivilege 3100 svuhost.exe Token: SeIncBasePriorityPrivilege 3100 svuhost.exe Token: SeCreatePagefilePrivilege 3100 svuhost.exe Token: SeBackupPrivilege 3100 svuhost.exe Token: SeRestorePrivilege 3100 svuhost.exe Token: SeShutdownPrivilege 3100 svuhost.exe Token: SeDebugPrivilege 3100 svuhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2168 svbhost.exe 3100 svuhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4720 wrote to memory of 3904 4720 42f972925508a82236e8533567487761.exe 78 PID 4720 wrote to memory of 3904 4720 42f972925508a82236e8533567487761.exe 78 PID 4720 wrote to memory of 3904 4720 42f972925508a82236e8533567487761.exe 78 PID 4720 wrote to memory of 4032 4720 42f972925508a82236e8533567487761.exe 79 PID 4720 wrote to memory of 4032 4720 42f972925508a82236e8533567487761.exe 79 PID 4720 wrote to memory of 4032 4720 42f972925508a82236e8533567487761.exe 79 PID 4720 wrote to memory of 2144 4720 42f972925508a82236e8533567487761.exe 80 PID 4720 wrote to memory of 2144 4720 42f972925508a82236e8533567487761.exe 80 PID 4720 wrote to memory of 2144 4720 42f972925508a82236e8533567487761.exe 80 PID 4720 wrote to memory of 3176 4720 42f972925508a82236e8533567487761.exe 81 PID 4720 wrote to memory of 3176 4720 42f972925508a82236e8533567487761.exe 81 PID 4720 wrote to memory of 3176 4720 42f972925508a82236e8533567487761.exe 81 PID 4720 wrote to memory of 4360 4720 42f972925508a82236e8533567487761.exe 82 PID 4720 wrote to memory of 4360 4720 42f972925508a82236e8533567487761.exe 82 PID 4720 wrote to memory of 4360 4720 42f972925508a82236e8533567487761.exe 82 PID 4720 wrote to memory of 3816 4720 42f972925508a82236e8533567487761.exe 83 PID 4720 wrote to memory of 3816 4720 42f972925508a82236e8533567487761.exe 83 PID 4720 wrote to memory of 3816 4720 42f972925508a82236e8533567487761.exe 83 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4720 wrote to memory of 4464 4720 42f972925508a82236e8533567487761.exe 84 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4360 wrote to memory of 1188 4360 oj6nKcf8t6QM1cww.exe 87 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 4032 wrote to memory of 2168 4032 DONRS8eiyuFBBYxo.exe 89 PID 2168 wrote to memory of 2444 2168 svbhost.exe 90 PID 2168 wrote to memory of 2444 2168 svbhost.exe 90 PID 2168 wrote to memory of 2444 2168 svbhost.exe 90 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92 PID 3816 wrote to memory of 2616 3816 xoygXxPNEjZfHSwN.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\JMFP8QdaZdxQNSTc.exe"C:\Users\Admin\AppData\Local\Temp\JMFP8QdaZdxQNSTc.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Windows\svehosts.exe"C:\Windows\svehosts.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE4⤵PID:1824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DONRS8eiyuFBBYxo.exe"C:\Users\Admin\AppData\Local\Temp\DONRS8eiyuFBBYxo.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 21684⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\FsWGELHnfs75nUAX.exe"C:\Users\Admin\AppData\Local\Temp\FsWGELHnfs75nUAX.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:4084
-
-
C:\Users\Admin\Documents\excelsl.exe"C:\Users\Admin\Documents\excelsl.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:8 -
C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3100 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:4624
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 10685⤵
- Program crash
PID:3972
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 10763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
-
C:\Users\Admin\AppData\Local\Temp\nfNIRPKNTDlm5w3t.exe"C:\Users\Admin\AppData\Local\Temp\nfNIRPKNTDlm5w3t.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'3⤵
- Creates scheduled task(s)
PID:4412
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87EE.tmp.bat""3⤵PID:984
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:1248
-
-
C:\Users\Admin\AppData\Roaming\prndrvest.exe"C:\Users\Admin\AppData\Roaming\prndrvest.exe"4⤵
- Executes dropped EXE
PID:1452
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\oj6nKcf8t6QM1cww.exe"C:\Users\Admin\AppData\Local\Temp\oj6nKcf8t6QM1cww.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"3⤵
- Executes dropped EXE
PID:1188
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 10683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
C:\Users\Admin\AppData\Local\Temp\xoygXxPNEjZfHSwN.exe"C:\Users\Admin\AppData\Local\Temp\xoygXxPNEjZfHSwN.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 10683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320
-
-
-
C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"2⤵
- Executes dropped EXE
PID:4464
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 15802⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-