Malware Analysis Report

2024-08-06 19:34

Sample ID 221128-wtvwzsaf9v
Target f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3
SHA256 f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3
Tags
njrat billy evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3

Threat Level: Known bad

The file f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3 was found to be: Known bad.

Malicious Activity Summary

njrat billy evasion persistence trojan

Modifies visiblity of hidden/system files in Explorer

njRAT/Bladabindi

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Hidden Files and Directories
T1158
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Hidden Files and Directories
T1158
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-11-28 18:13

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-28 18:13

Reported

2022-11-30 01:12

Platform

win10v2004-20220812-en

Max time kernel

66s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4896 set thread context of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 4728 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 4728 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 4896 wrote to memory of 2180 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2180 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2180 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2180 wrote to memory of 3416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe

"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"

Network

Country Destination Domain Proto
N/A 8.238.111.126:80 tcp
N/A 8.238.111.126:80 tcp

Files

memory/4896-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\8g8md9q55t9k8\nzlmuc

MD5 07c9503bebabfe1b926c094e2cd0d6c5
SHA1 ae9b9a62584bd1488bcf8268cbb5124ca7d44795
SHA256 8fd639bf83ef6f5e5c083096e765241cbb268edcb252bf9eae7e0012f951ebd9
SHA512 3b42490c969e5ff37b95bf272bb0acfb40279e62560046b9b46a43c830a9eed1314e485f0ce219fd9411eba6936769128db83c318581f370be49ed90b8dfa911

C:\Users\Admin\8G8MD9~1\jshvp.UNT

MD5 35b3cf90cee61304ff309c20704eb422
SHA1 72b771a97d39fdab15a70bc24fa31e25eeb0ab56
SHA256 e0eb8480787194877b9d8c0dea59400af9c41a3d99c9909ede2076f5596b1808
SHA512 f73df96afc8a40e8dbb2759c4c012596486e37159f0cb6b866d49d179422e4446a5dd62ce30596cccb0a50b3c558d8f17c081907d42c7c55577a9478e5a94d05

C:\Users\Admin\8G8MD9~1\yyiuyaz.UKC

MD5 cbbf6902528ee0709dad67d3838ac5bd
SHA1 6f5f3739da42afdd55265d44e6f224fea75db0ce
SHA256 13f22712b2458f01efc9351368e980bc073a072d825eedcb2f2aa43f9be4cc11
SHA512 da8faace526c59a1706a3ad6d402752f2909fe110fe52cfc58f75d19743e3c4def5303a520b582e6b7985768a69f93e8171dc5f90df473d4ee0aebe207414e7c

memory/2180-138-0x0000000000000000-mapping.dmp

memory/2180-139-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2180-140-0x0000000074290000-0x0000000074841000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 3a77a4f220612fa55118fb8d7ddae83c
SHA1 b96fa726fc84fd46d03dd3c32689f645e0422278
SHA256 2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA512 33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

memory/3416-141-0x0000000000000000-mapping.dmp

memory/2180-143-0x0000000074290000-0x0000000074841000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 3a77a4f220612fa55118fb8d7ddae83c
SHA1 b96fa726fc84fd46d03dd3c32689f645e0422278
SHA256 2cd6aacd0ed0f477f62833b13b97c26135f436dc59b0b09d4515a6c13cfe6e1f
SHA512 33a9cfc23d49505d7f2e1af4299ea2e6ccbe36daccc81c3dafc9652b8259083da88ee67312035e88dcbc1a6d76ce2c13b6067b6dbcc2afd310b91d4ee737c94d

memory/3416-145-0x0000000074290000-0x0000000074841000-memory.dmp

memory/1660-146-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-28 18:13

Reported

2022-11-30 01:12

Platform

win7-20220812-en

Max time kernel

154s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

njRAT/Bladabindi

trojan njrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\C:\Users\Admin\8G8MD9~1 = "C:\\Users\\Admin\\8G8MD9~1\\zffhsitfyanh.vbs" C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1292 set thread context of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 set thread context of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1056 set thread context of 1348 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
N/A N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1948 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 964 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1292 wrote to memory of 1740 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1740 wrote to memory of 560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 560 wrote to memory of 696 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 696 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 560 wrote to memory of 748 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\SysWOW64\WScript.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\8g8md9q55t9k8\msvoht.exe
PID 1056 wrote to memory of 1348 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 1056 wrote to memory of 1348 N/A C:\Users\Admin\8g8md9q55t9k8\msvoht.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe

"C:\Users\Admin\AppData\Local\Temp\f2ed55cb985dc9394ae8460794150ddde3c2d1260945db5be187e4c8fd14e5a3.exe"

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\8G8MD9~1\run.vbs"

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

"C:\Users\Admin\8g8md9q55t9k8\msvoht.exe" nzlmuc

Network

N/A

Files

memory/1948-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1292-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\8g8md9q55t9k8\nzlmuc

MD5 efccb25c461589f0fadb76d7decc4416
SHA1 72331e72388f985888efc98dad7cf05baca91762
SHA256 cfdb033efffb350639d73017b61dd28f58e3b96e89a384c84cde35b015eb42d0
SHA512 6edd3d53a27e00b22f4a98e368731e1c3a431762e5f52f2e839f0a9fa1e6c3edd86d7c8aa922ebedaf6ce707834bc55859f43805d751c713d99d58973f31a396

C:\Users\Admin\8G8MD9~1\jshvp.UNT

MD5 35b3cf90cee61304ff309c20704eb422
SHA1 72b771a97d39fdab15a70bc24fa31e25eeb0ab56
SHA256 e0eb8480787194877b9d8c0dea59400af9c41a3d99c9909ede2076f5596b1808
SHA512 f73df96afc8a40e8dbb2759c4c012596486e37159f0cb6b866d49d179422e4446a5dd62ce30596cccb0a50b3c558d8f17c081907d42c7c55577a9478e5a94d05

C:\Users\Admin\8G8MD9~1\yyiuyaz.UKC

MD5 cbbf6902528ee0709dad67d3838ac5bd
SHA1 6f5f3739da42afdd55265d44e6f224fea75db0ce
SHA256 13f22712b2458f01efc9351368e980bc073a072d825eedcb2f2aa43f9be4cc11
SHA512 da8faace526c59a1706a3ad6d402752f2909fe110fe52cfc58f75d19743e3c4def5303a520b582e6b7985768a69f93e8171dc5f90df473d4ee0aebe207414e7c

memory/964-66-0x000000000040748E-mapping.dmp

memory/1740-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\8G8MD9~1\run.vbs

MD5 8de0d4e88d228dda91d024620c17a867
SHA1 d3a3bdbd922c17abd92d2a9bd3da09935689f884
SHA256 7c8ce594f9d4626c553f7caa972245fd9e6ccf4c380ca132c71c90ff647a9e7e
SHA512 034c0358bd509cd24410afac8e11b829eb1c3f6897452b63590b76fee9610c10aaeede2e60856eff58fa05d45ce4fed7f1e429e683f98d75dc9670be7ea0e589

memory/560-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/696-75-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-76-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-78-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-79-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-80-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-81-0x000000000040748E-mapping.dmp

memory/696-83-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-85-0x0000000000400000-0x000000000040C000-memory.dmp

memory/696-87-0x00000000748C0000-0x0000000074E6B000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/320-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/696-93-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/320-94-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/748-95-0x0000000000000000-mapping.dmp

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1056-98-0x0000000000000000-mapping.dmp

memory/1348-107-0x000000000040748E-mapping.dmp

memory/1348-109-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1348-111-0x0000000000400000-0x000000000040C000-memory.dmp

memory/1348-113-0x0000000074B30000-0x00000000750DB000-memory.dmp

\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/1604-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/1348-117-0x0000000074B30000-0x00000000750DB000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 d79f070423fdd3f01ce8c2ba3fbbc8ed
SHA1 2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8
SHA256 97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
SHA512 47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db

memory/1604-120-0x0000000074AB0000-0x000000007505B000-memory.dmp

memory/1556-121-0x0000000000000000-mapping.dmp

\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1928-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\8g8md9q55t9k8\msvoht.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59