Analysis
-
max time kernel
173s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 05:06
Static task
static1
Behavioral task
behavioral1
Sample
d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe
-
Size
163KB
-
MD5
0e890823c80472b54188227623afeea2
-
SHA1
7df1dc6734d6cd40cb0a69513de915129003a3b9
-
SHA256
d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5
-
SHA512
48201cb8e2d3732f60bf2b9940e8d5256326af64d4daa6d1c1b0e51e4059856a01075b274293065d4e6f7f3ac7d4adc3d9211514f1bd0c110cabee2b1136acce
-
SSDEEP
1536:sJqGVsuAJqht7wUNl8B3PiFRqw1sz6GILUQBWDgRcA384gu1lAoWYpA2joP:MVVAkht8Uj8B36j1A60g801l/WYu2jo
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2848 SVOHOST.exe 3576 SVOHOST.exe 5032 SVOHOST.exe 4024 SVOHOST.exe 3740 SVOHOST.exe 1724 SVOHOST.exe 1232 SVOHOST.exe 5008 SVOHOST.exe 1956 SVOHOST.exe 3812 SVOHOST.exe 3604 SVOHOST.exe 3924 SVOHOST.exe 1092 SVOHOST.exe 1868 SVOHOST.exe 3200 SVOHOST.exe 4276 SVOHOST.exe 3244 SVOHOST.exe 3112 SVOHOST.exe 880 SVOHOST.exe 2696 SVOHOST.exe 2388 SVOHOST.exe 1540 SVOHOST.exe 3152 SVOHOST.exe 2876 SVOHOST.exe 1140 SVOHOST.exe 1344 SVOHOST.exe 2524 SVOHOST.exe 3264 SVOHOST.exe 4920 SVOHOST.exe 5032 SVOHOST.exe 1892 SVOHOST.exe 3472 SVOHOST.exe 4264 SVOHOST.exe 1232 SVOHOST.exe 260 SVOHOST.exe 1600 SVOHOST.exe 3492 SVOHOST.exe 1968 SVOHOST.exe 3516 SVOHOST.exe 1588 SVOHOST.exe 3444 SVOHOST.exe 2432 SVOHOST.exe 3200 SVOHOST.exe 4704 SVOHOST.exe 4612 SVOHOST.exe 2648 SVOHOST.exe 440 SVOHOST.exe 1616 SVOHOST.exe 724 SVOHOST.exe 4692 SVOHOST.exe 732 SVOHOST.exe 3152 SVOHOST.exe 4104 SVOHOST.exe 3228 SVOHOST.exe 3952 SVOHOST.exe 4868 SVOHOST.exe 4904 SVOHOST.exe 3264 SVOHOST.exe 2128 SVOHOST.exe 3964 SVOHOST.exe 4168 SVOHOST.exe 4108 SVOHOST.exe 4500 SVOHOST.exe 320 SVOHOST.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation SVOHOST.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SoundMam = "C:\\Windows\\system32\\SVOHOST.exe" SVOHOST.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File created C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\winscok.dll SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\SVOHOST.exe SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe File opened for modification C:\Windows\SysWOW64\noruns.reg SVOHOST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs .reg file with regedit 3 IoCs
pid Process 4852 regedit.exe 4260 regedit.exe 2604 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 2848 SVOHOST.exe 2848 SVOHOST.exe 2848 SVOHOST.exe 2848 SVOHOST.exe 3576 SVOHOST.exe 3576 SVOHOST.exe 3576 SVOHOST.exe 3576 SVOHOST.exe 5032 SVOHOST.exe 5032 SVOHOST.exe 5032 SVOHOST.exe 5032 SVOHOST.exe 4024 SVOHOST.exe 4024 SVOHOST.exe 4024 SVOHOST.exe 4024 SVOHOST.exe 3740 SVOHOST.exe 3740 SVOHOST.exe 3740 SVOHOST.exe 3740 SVOHOST.exe 1724 SVOHOST.exe 1724 SVOHOST.exe 1724 SVOHOST.exe 1724 SVOHOST.exe 1232 SVOHOST.exe 1232 SVOHOST.exe 1232 SVOHOST.exe 1232 SVOHOST.exe 5008 SVOHOST.exe 5008 SVOHOST.exe 5008 SVOHOST.exe 5008 SVOHOST.exe 1956 SVOHOST.exe 1956 SVOHOST.exe 1956 SVOHOST.exe 1956 SVOHOST.exe 3812 SVOHOST.exe 3812 SVOHOST.exe 3812 SVOHOST.exe 3812 SVOHOST.exe 3604 SVOHOST.exe 3604 SVOHOST.exe 3604 SVOHOST.exe 3604 SVOHOST.exe 3924 SVOHOST.exe 3924 SVOHOST.exe 3924 SVOHOST.exe 3924 SVOHOST.exe 1092 SVOHOST.exe 1092 SVOHOST.exe 1092 SVOHOST.exe 1092 SVOHOST.exe 1868 SVOHOST.exe 1868 SVOHOST.exe 1868 SVOHOST.exe 1868 SVOHOST.exe 3200 SVOHOST.exe 3200 SVOHOST.exe 3200 SVOHOST.exe 3200 SVOHOST.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3440 wrote to memory of 2848 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 80 PID 3440 wrote to memory of 2848 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 80 PID 3440 wrote to memory of 2848 3440 d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe 80 PID 2848 wrote to memory of 3576 2848 SVOHOST.exe 82 PID 2848 wrote to memory of 3576 2848 SVOHOST.exe 82 PID 2848 wrote to memory of 3576 2848 SVOHOST.exe 82 PID 3576 wrote to memory of 5032 3576 SVOHOST.exe 83 PID 3576 wrote to memory of 5032 3576 SVOHOST.exe 83 PID 3576 wrote to memory of 5032 3576 SVOHOST.exe 83 PID 5032 wrote to memory of 4024 5032 SVOHOST.exe 84 PID 5032 wrote to memory of 4024 5032 SVOHOST.exe 84 PID 5032 wrote to memory of 4024 5032 SVOHOST.exe 84 PID 4024 wrote to memory of 3740 4024 SVOHOST.exe 85 PID 4024 wrote to memory of 3740 4024 SVOHOST.exe 85 PID 4024 wrote to memory of 3740 4024 SVOHOST.exe 85 PID 3740 wrote to memory of 1724 3740 SVOHOST.exe 86 PID 3740 wrote to memory of 1724 3740 SVOHOST.exe 86 PID 3740 wrote to memory of 1724 3740 SVOHOST.exe 86 PID 1724 wrote to memory of 1232 1724 SVOHOST.exe 87 PID 1724 wrote to memory of 1232 1724 SVOHOST.exe 87 PID 1724 wrote to memory of 1232 1724 SVOHOST.exe 87 PID 1232 wrote to memory of 5008 1232 SVOHOST.exe 88 PID 1232 wrote to memory of 5008 1232 SVOHOST.exe 88 PID 1232 wrote to memory of 5008 1232 SVOHOST.exe 88 PID 5008 wrote to memory of 1956 5008 SVOHOST.exe 89 PID 5008 wrote to memory of 1956 5008 SVOHOST.exe 89 PID 5008 wrote to memory of 1956 5008 SVOHOST.exe 89 PID 1956 wrote to memory of 3812 1956 SVOHOST.exe 90 PID 1956 wrote to memory of 3812 1956 SVOHOST.exe 90 PID 1956 wrote to memory of 3812 1956 SVOHOST.exe 90 PID 3812 wrote to memory of 3604 3812 SVOHOST.exe 91 PID 3812 wrote to memory of 3604 3812 SVOHOST.exe 91 PID 3812 wrote to memory of 3604 3812 SVOHOST.exe 91 PID 3604 wrote to memory of 3924 3604 SVOHOST.exe 92 PID 3604 wrote to memory of 3924 3604 SVOHOST.exe 92 PID 3604 wrote to memory of 3924 3604 SVOHOST.exe 92 PID 3924 wrote to memory of 1092 3924 SVOHOST.exe 93 PID 3924 wrote to memory of 1092 3924 SVOHOST.exe 93 PID 3924 wrote to memory of 1092 3924 SVOHOST.exe 93 PID 1092 wrote to memory of 1868 1092 SVOHOST.exe 94 PID 1092 wrote to memory of 1868 1092 SVOHOST.exe 94 PID 1092 wrote to memory of 1868 1092 SVOHOST.exe 94 PID 1868 wrote to memory of 3200 1868 SVOHOST.exe 95 PID 1868 wrote to memory of 3200 1868 SVOHOST.exe 95 PID 1868 wrote to memory of 3200 1868 SVOHOST.exe 95 PID 3200 wrote to memory of 4276 3200 SVOHOST.exe 96 PID 3200 wrote to memory of 4276 3200 SVOHOST.exe 96 PID 3200 wrote to memory of 4276 3200 SVOHOST.exe 96 PID 4276 wrote to memory of 3244 4276 SVOHOST.exe 97 PID 4276 wrote to memory of 3244 4276 SVOHOST.exe 97 PID 4276 wrote to memory of 3244 4276 SVOHOST.exe 97 PID 3244 wrote to memory of 3112 3244 SVOHOST.exe 98 PID 3244 wrote to memory of 3112 3244 SVOHOST.exe 98 PID 3244 wrote to memory of 3112 3244 SVOHOST.exe 98 PID 3112 wrote to memory of 880 3112 SVOHOST.exe 99 PID 3112 wrote to memory of 880 3112 SVOHOST.exe 99 PID 3112 wrote to memory of 880 3112 SVOHOST.exe 99 PID 880 wrote to memory of 2696 880 SVOHOST.exe 100 PID 880 wrote to memory of 2696 880 SVOHOST.exe 100 PID 880 wrote to memory of 2696 880 SVOHOST.exe 100 PID 2696 wrote to memory of 2388 2696 SVOHOST.exe 101 PID 2696 wrote to memory of 2388 2696 SVOHOST.exe 101 PID 2696 wrote to memory of 2388 2696 SVOHOST.exe 101 PID 2388 wrote to memory of 1540 2388 SVOHOST.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe"C:\Users\Admin\AppData\Local\Temp\d3b5ae7586d3f84ee4c6f58db907b153b54f8b24bcac5f6ab9d596ebec53dfa5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"9⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"15⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"23⤵
- Executes dropped EXE
- Checks computer location settings
PID:1540 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"24⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"25⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"26⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"27⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"28⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2524 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"29⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"30⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5032 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"32⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"33⤵
- Executes dropped EXE
PID:3472 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"34⤵
- Executes dropped EXE
PID:4264 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"35⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"36⤵
- Executes dropped EXE
PID:260 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"37⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"38⤵
- Executes dropped EXE
PID:3492 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"39⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"40⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"41⤵
- Executes dropped EXE
- Checks computer location settings
PID:1588 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"42⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"43⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"44⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4704 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"46⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2648 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"48⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"49⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"50⤵
- Executes dropped EXE
PID:724 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4692 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"52⤵
- Executes dropped EXE
PID:732 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"53⤵
- Executes dropped EXE
- Checks computer location settings
PID:3152 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"54⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"55⤵
- Executes dropped EXE
- Checks computer location settings
PID:3228 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"56⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"57⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"58⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"59⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3264 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"60⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"61⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"62⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"63⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4108 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"64⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4500 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"65⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"66⤵PID:4972
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"67⤵PID:3384
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"68⤵PID:3736
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"69⤵PID:1940
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"70⤵PID:4240
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"71⤵PID:3924
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"72⤵PID:4912
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"73⤵PID:2812
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"74⤵PID:1084
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"75⤵PID:4584
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"76⤵
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"77⤵PID:1960
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"78⤵PID:3932
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"79⤵
- Checks computer location settings
PID:2828 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"80⤵PID:3352
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"81⤵PID:736
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"82⤵PID:4536
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"83⤵PID:2236
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"84⤵
- Adds Run key to start application
PID:4284 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"85⤵PID:2876
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"86⤵PID:3888
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"87⤵PID:1592
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"88⤵PID:1336
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"89⤵PID:2548
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"90⤵PID:4808
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"91⤵PID:2244
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"92⤵PID:4100
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"93⤵PID:1632
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"94⤵
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"95⤵PID:4708
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"96⤵PID:316
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"97⤵PID:4756
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"98⤵PID:1384
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"99⤵PID:2240
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"100⤵PID:2044
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"101⤵PID:3468
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"102⤵PID:1968
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"103⤵PID:1328
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"104⤵PID:960
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"105⤵PID:3996
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"106⤵PID:2580
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"107⤵PID:3416
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"108⤵PID:4552
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"109⤵PID:4996
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"110⤵PID:1900
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"111⤵PID:4236
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"112⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"113⤵PID:1964
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"114⤵PID:1680
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"115⤵PID:1080
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"116⤵
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"117⤵PID:3536
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"118⤵PID:4104
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"119⤵PID:1904
-
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"120⤵
- Checks computer location settings
PID:3760 -
C:\Windows\SysWOW64\SVOHOST.exe"C:\Windows\system32\SVOHOST.exe"121⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-