Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 22:00
Static task
static1
Behavioral task
behavioral1
Sample
f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe
Resource
win7-20220901-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe
-
Size
140KB
-
MD5
6df8cc0effe7944cd6200ccc2561cc48
-
SHA1
19c98316c42058baecfc6eb0aaa2fc713cc6fd8b
-
SHA256
f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940
-
SHA512
8be86f3cdb15a4d068b05e4b05151ac52e9b9f6641a86e1869eb303a2c9694e5cf82656a551039695bf15425f6136d68e4205f8ecc9791c396c6e46619383208
-
SSDEEP
1536:kZqW1suA2HJm/2n8vwUSnnm68vUsRqw1sz6GILUQBqxIN9LNDYmYyfrdQk8PgF7b:011vpG28vCt8vUO1A6QxIifAGrgp
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4872 SVOHOST.exe 1588 SVOHOST.exe 4744 SVOHOST.exe 4472 SVOHOST.exe 2024 SVOHOST.exe 5112 SVOHOST.exe 1364 SVOHOST.exe 4768 SVOHOST.exe 4352 SVOHOST.exe 4212 SVOHOST.exe 2368 SVOHOST.exe 1420 SVOHOST.exe 3648 SVOHOST.exe 4760 SVOHOST.exe 2976 SVOHOST.exe 2312 SVOHOST.exe 4920 SVOHOST.exe 4924 SVOHOST.exe 3540 SVOHOST.exe 2568 SVOHOST.exe 2448 SVOHOST.exe 4300 SVOHOST.exe 2676 SVOHOST.exe 2736 SVOHOST.exe 3604 SVOHOST.exe 1424 SVOHOST.exe 1836 SVOHOST.exe 4740 SVOHOST.exe 4820 SVOHOST.exe 1100 SVOHOST.exe 3652 SVOHOST.exe 3928 SVOHOST.exe 4484 SVOHOST.exe 2316 SVOHOST.exe 1992 SVOHOST.exe 1452 SVOHOST.exe 4168 SVOHOST.exe 4132 SVOHOST.exe 2968 SVOHOST.exe 4676 SVOHOST.exe 4620 SVOHOST.exe 4000 SVOHOST.exe 2584 SVOHOST.exe 3060 SVOHOST.exe 2004 SVOHOST.exe 4760 SVOHOST.exe 3108 SVOHOST.exe 2168 SVOHOST.exe 2952 SVOHOST.exe 3928 SVOHOST.exe 1504 SVOHOST.exe 3540 SVOHOST.exe 1992 SVOHOST.exe 1452 SVOHOST.exe 4168 SVOHOST.exe 4196 SVOHOST.exe 2208 SVOHOST.exe 5044 SVOHOST.exe 4620 SVOHOST.exe 4480 SVOHOST.exe 4164 SVOHOST.exe 4820 SVOHOST.exe 4836 SVOHOST.exe 4916 SVOHOST.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Process not Found Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation SVOHOST.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Process not Found -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll Process not Found File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg Process not Found File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg Process not Found File created C:\Windows\SysWOW64\SVOHOST.exe Process not Found File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 2 IoCs
pid Process 4176 regedit.exe 3656 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 4872 SVOHOST.exe 4872 SVOHOST.exe 4872 SVOHOST.exe 4872 SVOHOST.exe 1588 SVOHOST.exe 1588 SVOHOST.exe 1588 SVOHOST.exe 1588 SVOHOST.exe 4744 SVOHOST.exe 4744 SVOHOST.exe 4744 SVOHOST.exe 4744 SVOHOST.exe 4472 SVOHOST.exe 4472 SVOHOST.exe 4472 SVOHOST.exe 4472 SVOHOST.exe 2024 SVOHOST.exe 2024 SVOHOST.exe 2024 SVOHOST.exe 2024 SVOHOST.exe 5112 SVOHOST.exe 5112 SVOHOST.exe 5112 SVOHOST.exe 5112 SVOHOST.exe 1364 SVOHOST.exe 1364 SVOHOST.exe 1364 SVOHOST.exe 1364 SVOHOST.exe 4768 SVOHOST.exe 4768 SVOHOST.exe 4768 SVOHOST.exe 4768 SVOHOST.exe 4352 SVOHOST.exe 4352 SVOHOST.exe 4352 SVOHOST.exe 4352 SVOHOST.exe 4212 SVOHOST.exe 4212 SVOHOST.exe 4212 SVOHOST.exe 4212 SVOHOST.exe 2368 SVOHOST.exe 2368 SVOHOST.exe 2368 SVOHOST.exe 2368 SVOHOST.exe 1420 SVOHOST.exe 1420 SVOHOST.exe 1420 SVOHOST.exe 1420 SVOHOST.exe 3648 SVOHOST.exe 3648 SVOHOST.exe 3648 SVOHOST.exe 3648 SVOHOST.exe 4760 SVOHOST.exe 4760 SVOHOST.exe 4760 SVOHOST.exe 4760 SVOHOST.exe 2976 SVOHOST.exe 2976 SVOHOST.exe 2976 SVOHOST.exe 2976 SVOHOST.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 4872 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 80 PID 1984 wrote to memory of 4872 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 80 PID 1984 wrote to memory of 4872 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 80 PID 1984 wrote to memory of 4176 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 81 PID 1984 wrote to memory of 4176 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 81 PID 1984 wrote to memory of 4176 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 81 PID 1984 wrote to memory of 4812 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 82 PID 1984 wrote to memory of 4812 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 82 PID 1984 wrote to memory of 4812 1984 f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe 82 PID 4872 wrote to memory of 1588 4872 SVOHOST.exe 84 PID 4872 wrote to memory of 1588 4872 SVOHOST.exe 84 PID 4872 wrote to memory of 1588 4872 SVOHOST.exe 84 PID 4872 wrote to memory of 3884 4872 SVOHOST.exe 85 PID 4872 wrote to memory of 3884 4872 SVOHOST.exe 85 PID 4872 wrote to memory of 3884 4872 SVOHOST.exe 85 PID 1588 wrote to memory of 4744 1588 SVOHOST.exe 87 PID 1588 wrote to memory of 4744 1588 SVOHOST.exe 87 PID 1588 wrote to memory of 4744 1588 SVOHOST.exe 87 PID 1588 wrote to memory of 2568 1588 SVOHOST.exe 88 PID 1588 wrote to memory of 2568 1588 SVOHOST.exe 88 PID 1588 wrote to memory of 2568 1588 SVOHOST.exe 88 PID 4744 wrote to memory of 4472 4744 SVOHOST.exe 90 PID 4744 wrote to memory of 4472 4744 SVOHOST.exe 90 PID 4744 wrote to memory of 4472 4744 SVOHOST.exe 90 PID 4744 wrote to memory of 324 4744 SVOHOST.exe 91 PID 4744 wrote to memory of 324 4744 SVOHOST.exe 91 PID 4744 wrote to memory of 324 4744 SVOHOST.exe 91 PID 4472 wrote to memory of 2024 4472 SVOHOST.exe 93 PID 4472 wrote to memory of 2024 4472 SVOHOST.exe 93 PID 4472 wrote to memory of 2024 4472 SVOHOST.exe 93 PID 4472 wrote to memory of 1260 4472 SVOHOST.exe 94 PID 4472 wrote to memory of 1260 4472 SVOHOST.exe 94 PID 4472 wrote to memory of 1260 4472 SVOHOST.exe 94 PID 2024 wrote to memory of 5112 2024 SVOHOST.exe 96 PID 2024 wrote to memory of 5112 2024 SVOHOST.exe 96 PID 2024 wrote to memory of 5112 2024 SVOHOST.exe 96 PID 2024 wrote to memory of 5116 2024 SVOHOST.exe 97 PID 2024 wrote to memory of 5116 2024 SVOHOST.exe 97 PID 2024 wrote to memory of 5116 2024 SVOHOST.exe 97 PID 5112 wrote to memory of 1364 5112 SVOHOST.exe 99 PID 5112 wrote to memory of 1364 5112 SVOHOST.exe 99 PID 5112 wrote to memory of 1364 5112 SVOHOST.exe 99 PID 5112 wrote to memory of 5036 5112 SVOHOST.exe 100 PID 5112 wrote to memory of 5036 5112 SVOHOST.exe 100 PID 5112 wrote to memory of 5036 5112 SVOHOST.exe 100 PID 1364 wrote to memory of 4768 1364 SVOHOST.exe 102 PID 1364 wrote to memory of 4768 1364 SVOHOST.exe 102 PID 1364 wrote to memory of 4768 1364 SVOHOST.exe 102 PID 1364 wrote to memory of 4424 1364 SVOHOST.exe 103 PID 1364 wrote to memory of 4424 1364 SVOHOST.exe 103 PID 1364 wrote to memory of 4424 1364 SVOHOST.exe 103 PID 4768 wrote to memory of 4352 4768 SVOHOST.exe 105 PID 4768 wrote to memory of 4352 4768 SVOHOST.exe 105 PID 4768 wrote to memory of 4352 4768 SVOHOST.exe 105 PID 4768 wrote to memory of 3176 4768 SVOHOST.exe 106 PID 4768 wrote to memory of 3176 4768 SVOHOST.exe 106 PID 4768 wrote to memory of 3176 4768 SVOHOST.exe 106 PID 4352 wrote to memory of 4212 4352 SVOHOST.exe 108 PID 4352 wrote to memory of 4212 4352 SVOHOST.exe 108 PID 4352 wrote to memory of 4212 4352 SVOHOST.exe 108 PID 4352 wrote to memory of 3396 4352 SVOHOST.exe 109 PID 4352 wrote to memory of 3396 4352 SVOHOST.exe 109 PID 4352 wrote to memory of 3396 4352 SVOHOST.exe 109 PID 4212 wrote to memory of 2368 4212 SVOHOST.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe"C:\Users\Admin\AppData\Local\Temp\f0263cf12d3133afe22ed18a11f4c720ecf2894a922d5fc74ea82ee4d5385940.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"12⤵PID:1516
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2368 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1420 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4760 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2976 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"17⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4920 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"19⤵
- Executes dropped EXE
- Checks computer location settings
PID:4924 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"20⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3540 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"21⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"22⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"23⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4300 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"24⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"25⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"26⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3604 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"27⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"28⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4740 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"30⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"31⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"32⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"33⤵
- Executes dropped EXE
PID:3928 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"34⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"36⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"37⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"38⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4168 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"39⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"40⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"41⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"42⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"44⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"45⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"47⤵
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"48⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"49⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"50⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"51⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3928 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"52⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"53⤵
- Executes dropped EXE
PID:3540 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"54⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"55⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"56⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"57⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"58⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"59⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"60⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"62⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4820 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"64⤵
- Executes dropped EXE
- Checks computer location settings
PID:4836 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"65⤵
- Executes dropped EXE
- Checks computer location settings
PID:4916 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"66⤵PID:544
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"67⤵PID:2240
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"68⤵PID:1552
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"69⤵PID:2724
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"70⤵PID:4172
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"71⤵PID:5080
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"72⤵PID:2676
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"73⤵PID:1300
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"74⤵PID:4324
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"75⤵
- Checks computer location settings
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"76⤵PID:2992
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"76⤵PID:4012
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"77⤵PID:1136
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"78⤵PID:632
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"78⤵PID:4788
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"79⤵PID:4344
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"80⤵PID:3920
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"81⤵PID:2664
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"82⤵PID:2212
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"83⤵PID:3508
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"84⤵PID:1060
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"85⤵PID:1184
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"86⤵PID:1756
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"86⤵PID:1992
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"87⤵PID:1980
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"88⤵PID:3428
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"89⤵PID:4852
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"90⤵PID:2736
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"91⤵PID:3432
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"92⤵PID:1516
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"93⤵PID:2368
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"94⤵PID:2300
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"95⤵
- Adds Run key to start application
PID:3912 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"96⤵PID:2204
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"97⤵PID:2988
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"98⤵PID:1380
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"99⤵PID:1128
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"100⤵PID:4720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"101⤵PID:760
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"101⤵PID:3676
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"102⤵PID:212
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"103⤵PID:4036
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"104⤵PID:5080
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"105⤵PID:620
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"106⤵PID:4732
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"107⤵PID:5060
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"108⤵
- Adds Run key to start application
PID:3544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del "C:\Windows\SysWOW64\SVOHOST.exe"109⤵PID:1516
-
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"109⤵PID:1068
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"110⤵PID:1136
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"111⤵PID:2696
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"112⤵PID:3956
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"113⤵PID:2460
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"114⤵PID:4672
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"115⤵PID:3200
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"116⤵PID:4940
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"117⤵
- Adds Run key to start application
PID:4256 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"118⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"119⤵PID:4376
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"120⤵PID:4300
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"121⤵PID:1132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-