Malware Analysis Report

2024-11-30 16:00

Sample ID 220701-fgs9maeed2
Target 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08

Threat Level: Known bad

The file 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-01 04:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-01 04:51

Reported

2022-07-01 05:45

Platform

win7-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 940 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 940 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 940 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 1344 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1292 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1292 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1292 wrote to memory of 612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 760 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 760 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1956 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1988 wrote to memory of 2016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 568 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 568 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 568 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1592 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1592 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1592 wrote to memory of 1780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1192 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1192 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1192 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1192 wrote to memory of 1704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe

"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

Network

Country Destination Domain Proto
US 8.8.8.8:53 moview.mywire.org udp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
US 8.8.8.8:53 moview.mywire.org udp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp

Files

memory/1256-54-0x0000000000F10000-0x0000000000FE0000-memory.dmp

memory/1256-55-0x0000000004B40000-0x0000000004C08000-memory.dmp

memory/1256-56-0x0000000000370000-0x000000000037A000-memory.dmp

memory/1256-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

memory/940-58-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Win64\Svchost.exe

MD5 73349048786f9da8057aa52d76443190
SHA1 c006b92142a4e21eb99e2206055bb24d672ad9bd
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA512 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

MD5 73349048786f9da8057aa52d76443190
SHA1 c006b92142a4e21eb99e2206055bb24d672ad9bd
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA512 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f

memory/1344-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

MD5 73349048786f9da8057aa52d76443190
SHA1 c006b92142a4e21eb99e2206055bb24d672ad9bd
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA512 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f

memory/1344-63-0x00000000001B0000-0x0000000000280000-memory.dmp

memory/1292-65-0x0000000000000000-mapping.dmp

memory/612-66-0x0000000000000000-mapping.dmp

memory/1344-67-0x0000000004240000-0x000000000429A000-memory.dmp

memory/760-68-0x0000000000000000-mapping.dmp

memory/1728-70-0x0000000000000000-mapping.dmp

memory/1344-69-0x00000000005D0000-0x00000000005E0000-memory.dmp

memory/1344-71-0x00000000070D0000-0x0000000007178000-memory.dmp

memory/1344-72-0x0000000001F30000-0x0000000001F58000-memory.dmp

memory/1956-73-0x0000000000000000-mapping.dmp

memory/1960-74-0x0000000000000000-mapping.dmp

memory/1988-75-0x0000000000000000-mapping.dmp

memory/2016-76-0x0000000000000000-mapping.dmp

memory/1344-77-0x0000000001F60000-0x0000000001F76000-memory.dmp

memory/568-78-0x0000000000000000-mapping.dmp

memory/556-79-0x0000000000000000-mapping.dmp

memory/1592-80-0x0000000000000000-mapping.dmp

memory/1780-81-0x0000000000000000-mapping.dmp

memory/1192-82-0x0000000000000000-mapping.dmp

memory/1704-83-0x0000000000000000-mapping.dmp

memory/1712-84-0x0000000000000000-mapping.dmp

memory/1500-85-0x0000000000000000-mapping.dmp

memory/2000-86-0x0000000000000000-mapping.dmp

memory/1912-87-0x0000000000000000-mapping.dmp

memory/652-88-0x0000000000000000-mapping.dmp

memory/584-89-0x0000000000000000-mapping.dmp

memory/1360-90-0x0000000000000000-mapping.dmp

memory/1068-91-0x0000000000000000-mapping.dmp

memory/1752-92-0x0000000000000000-mapping.dmp

memory/1788-93-0x0000000000000000-mapping.dmp

memory/520-94-0x0000000000000000-mapping.dmp

memory/1996-95-0x0000000000000000-mapping.dmp

memory/760-96-0x0000000000000000-mapping.dmp

memory/2004-97-0x0000000000000000-mapping.dmp

memory/1324-98-0x0000000000000000-mapping.dmp

memory/1956-99-0x0000000000000000-mapping.dmp

memory/1760-100-0x0000000000000000-mapping.dmp

memory/1568-101-0x0000000000000000-mapping.dmp

memory/1196-102-0x0000000000000000-mapping.dmp

memory/1048-103-0x0000000000000000-mapping.dmp

memory/992-104-0x0000000000000000-mapping.dmp

memory/268-105-0x0000000000000000-mapping.dmp

memory/1016-106-0x0000000000000000-mapping.dmp

memory/2016-107-0x0000000000000000-mapping.dmp

memory/1288-108-0x0000000000000000-mapping.dmp

memory/280-109-0x0000000000000000-mapping.dmp

memory/1148-110-0x0000000000000000-mapping.dmp

memory/1948-111-0x0000000000000000-mapping.dmp

memory/880-112-0x0000000000000000-mapping.dmp

memory/268-113-0x0000000000000000-mapping.dmp

memory/584-114-0x0000000000000000-mapping.dmp

memory/556-115-0x0000000000000000-mapping.dmp

memory/520-116-0x0000000000000000-mapping.dmp

memory/1196-117-0x0000000000000000-mapping.dmp

memory/760-118-0x0000000000000000-mapping.dmp

memory/1096-119-0x0000000000000000-mapping.dmp

memory/1348-120-0x0000000000000000-mapping.dmp

memory/1460-121-0x0000000000000000-mapping.dmp

memory/1392-122-0x0000000000000000-mapping.dmp

memory/1336-123-0x0000000000000000-mapping.dmp

memory/1068-124-0x0000000000000000-mapping.dmp

memory/1576-125-0x0000000000000000-mapping.dmp

memory/1912-126-0x0000000000000000-mapping.dmp

memory/1324-127-0x0000000000000000-mapping.dmp

memory/1752-128-0x0000000000000000-mapping.dmp

memory/1760-129-0x0000000000000000-mapping.dmp

memory/324-130-0x0000000000000000-mapping.dmp

memory/1620-131-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-01 04:51

Reported

2022-07-01 05:45

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svchost = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Svchost.txt | cmd" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 1432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 1432 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe
PID 1308 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2140 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2140 wrote to memory of 228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4028 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4028 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3248 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3248 wrote to memory of 3580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3312 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3676 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3676 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3676 wrote to memory of 1624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 5000 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5000 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5000 wrote to memory of 936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3832 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3832 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3832 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4356 wrote to memory of 1240 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2116 wrote to memory of 2156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 4224 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe

"C:\Users\Admin\AppData\Local\Temp\3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

"C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

C:\Windows\SysWOW64\cmd.exe

"cmd"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Svchost" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Svchost.txt" | cmd"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 moview.mywire.org udp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
NL 104.110.191.140:80 tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
US 52.168.117.170:443 tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
FR 2.18.109.224:443 tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
US 104.18.25.243:80 tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
US 8.8.8.8:53 moview.mywire.org udp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp
BE 109.134.212.99:9003 moview.mywire.org tcp

Files

memory/4416-130-0x0000000000770000-0x0000000000840000-memory.dmp

memory/4416-131-0x0000000005690000-0x0000000005C34000-memory.dmp

memory/4416-132-0x00000000051E0000-0x000000000527C000-memory.dmp

memory/4416-133-0x0000000008230000-0x00000000082C2000-memory.dmp

memory/1432-134-0x0000000000000000-mapping.dmp

memory/1308-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

MD5 73349048786f9da8057aa52d76443190
SHA1 c006b92142a4e21eb99e2206055bb24d672ad9bd
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA512 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f

C:\Users\Admin\AppData\Roaming\Win64\Svchost.exe

MD5 73349048786f9da8057aa52d76443190
SHA1 c006b92142a4e21eb99e2206055bb24d672ad9bd
SHA256 3ed6542d1c8cd0d1aef637127b6a4fcd459ed8e9b5e842909ec8740fa18f5c08
SHA512 9a12eead2bb93c9769e7f75b983a7e2b2cbc9a9fe7cc80e2fc68527c75726fd29716d70bdecef72a7416338ecd8941093908b43146afc42ea01a05243c9fb73f

memory/2140-138-0x0000000000000000-mapping.dmp

memory/228-139-0x0000000000000000-mapping.dmp

memory/4028-140-0x0000000000000000-mapping.dmp

memory/3068-141-0x0000000000000000-mapping.dmp

memory/1308-142-0x0000000006600000-0x0000000006666000-memory.dmp

memory/3248-143-0x0000000000000000-mapping.dmp

memory/3580-144-0x0000000000000000-mapping.dmp

memory/3312-145-0x0000000000000000-mapping.dmp

memory/1308-146-0x0000000006D90000-0x0000000006D9A000-memory.dmp

memory/2324-147-0x0000000000000000-mapping.dmp

memory/3676-148-0x0000000000000000-mapping.dmp

memory/1624-149-0x0000000000000000-mapping.dmp

memory/5000-150-0x0000000000000000-mapping.dmp

memory/936-151-0x0000000000000000-mapping.dmp

memory/3832-152-0x0000000000000000-mapping.dmp

memory/2764-153-0x0000000000000000-mapping.dmp

memory/4356-154-0x0000000000000000-mapping.dmp

memory/1240-155-0x0000000000000000-mapping.dmp

memory/2116-156-0x0000000000000000-mapping.dmp

memory/2156-157-0x0000000000000000-mapping.dmp

memory/4224-158-0x0000000000000000-mapping.dmp

memory/1600-159-0x0000000000000000-mapping.dmp

memory/1512-160-0x0000000000000000-mapping.dmp

memory/2320-161-0x0000000000000000-mapping.dmp

memory/224-162-0x0000000000000000-mapping.dmp

memory/4316-163-0x0000000000000000-mapping.dmp

memory/2140-164-0x0000000000000000-mapping.dmp

memory/3604-165-0x0000000000000000-mapping.dmp

memory/3692-166-0x0000000000000000-mapping.dmp

memory/2148-167-0x0000000000000000-mapping.dmp

memory/3092-168-0x0000000000000000-mapping.dmp

memory/3720-169-0x0000000000000000-mapping.dmp

memory/1312-170-0x0000000000000000-mapping.dmp

memory/1352-171-0x0000000000000000-mapping.dmp

memory/3308-172-0x0000000000000000-mapping.dmp

memory/4544-173-0x0000000000000000-mapping.dmp

memory/2228-174-0x0000000000000000-mapping.dmp

memory/4048-175-0x0000000000000000-mapping.dmp

memory/3476-176-0x0000000000000000-mapping.dmp

memory/1060-177-0x0000000000000000-mapping.dmp

memory/5012-178-0x0000000000000000-mapping.dmp

memory/1412-179-0x0000000000000000-mapping.dmp

memory/3172-180-0x0000000000000000-mapping.dmp

memory/1628-181-0x0000000000000000-mapping.dmp

memory/2412-182-0x0000000000000000-mapping.dmp

memory/2624-183-0x0000000000000000-mapping.dmp

memory/1416-184-0x0000000000000000-mapping.dmp

memory/2084-185-0x0000000000000000-mapping.dmp

memory/320-186-0x0000000000000000-mapping.dmp

memory/4032-187-0x0000000000000000-mapping.dmp

memory/4284-188-0x0000000000000000-mapping.dmp

memory/1976-189-0x0000000000000000-mapping.dmp

memory/3148-190-0x0000000000000000-mapping.dmp

memory/3684-191-0x0000000000000000-mapping.dmp

memory/4252-192-0x0000000000000000-mapping.dmp

memory/4344-193-0x0000000000000000-mapping.dmp

memory/4172-194-0x0000000000000000-mapping.dmp

memory/2004-195-0x0000000000000000-mapping.dmp

memory/1912-196-0x0000000000000000-mapping.dmp

memory/1320-197-0x0000000000000000-mapping.dmp

memory/1492-198-0x0000000000000000-mapping.dmp

memory/4524-199-0x0000000000000000-mapping.dmp

memory/1964-200-0x0000000000000000-mapping.dmp

memory/4640-201-0x0000000000000000-mapping.dmp